Merge pull request #14559 from Snuffleupagus/revert-9505

Revert "Don't block origin-less blob:-URLs in hosted viewer"
2022-02-13 14:10:22 +01:00 · 2022-02-13 14:10:22 +01:00 · 78246719f8
commit 78246719f8
parent c37d785b2a 911021002e
1 changed files with 2 additions and 5 deletions
--- a/web/app.js
+++ b/web/app.js
@ -2127,14 +2127,11 @@ if (typeof PDFJSDev === "undefined" || PDFJSDev.test("GENERIC")) {
        // Hosted or local viewer, allow for any file locations
        return;
      }
-      const { origin, protocol } = new URL(file, window.location.href);
+      const fileOrigin = new URL(file, window.location.href).origin;
      // Removing of the following line will not guarantee that the viewer will
      // start accepting URLs from foreign origin -- CORS headers on the remote
      // server must be properly configured.
-      // IE10 / IE11 does not include an origin in `blob:`-URLs. So don't block
-      // any blob:-URL. The browser's same-origin policy will block requests to
-      // blob:-URLs from other origins, so this is safe.
-      if (origin !== viewerOrigin && protocol !== "blob:") {
+      if (fileOrigin !== viewerOrigin) {
        throw new Error("file origin does not match viewer's");
      }
    } catch (ex) {