[CRX] Do not load local files in non-local frames

Ordinarily, local files cannot be embedded in a non-local website. Until
this commit, the extension allowed websites to embed local PDF files on
non-local (e.g. http(s)) websites. This unintended feature is now
disabled, to align better with Chrome's existing security policies
(=local file:-URLs cannot be loaded in a tab unless expicitly allowed).

web/chromecom.js

@@ -113,6 +113,14 @@ var ChromeCom = (function ChromeComClosure() {
         });
         return;
       }
+      if (/^file?:/.test(file)) {
+        if (top !== window && !/^file:/i.test(location.ancestorOrigins[0])) {
+          PDFViewerApplication.error('Blocked ' + location.ancestorOrigins[0] +
+              ' from loading ' + file + '. Refused to load a local file in a ' +
+              ' non-local page for security reasons.');
+          return;
+        }
+      }
       PDFViewerApplication.open(file, 0);
     });
   };