From 911021002e8185e0622759fe1f4d47f4de0fc2d2 Mon Sep 17 00:00:00 2001
From: Jonas Jenwald <jonas.jenwald@gmail.com>
Date: Sat, 12 Feb 2022 11:32:10 +0100
Subject: [PATCH] Revert "Don't block origin-less blob:-URLs in hosted viewer"

This reverts commit a6aca3cabe581319d93c862cb0b85f71580cacfd, since no version of Internet Explorer is supported any more.
---
 web/app.js | 7 ++-----
 1 file changed, 2 insertions(+), 5 deletions(-)

diff --git a/web/app.js b/web/app.js
index 2fafc769d..f60bf0296 100644
--- a/web/app.js
+++ b/web/app.js
@@ -2127,14 +2127,11 @@ if (typeof PDFJSDev === "undefined" || PDFJSDev.test("GENERIC")) {
         // Hosted or local viewer, allow for any file locations
         return;
       }
-      const { origin, protocol } = new URL(file, window.location.href);
+      const fileOrigin = new URL(file, window.location.href).origin;
       // Removing of the following line will not guarantee that the viewer will
       // start accepting URLs from foreign origin -- CORS headers on the remote
       // server must be properly configured.
-      // IE10 / IE11 does not include an origin in `blob:`-URLs. So don't block
-      // any blob:-URL. The browser's same-origin policy will block requests to
-      // blob:-URLs from other origins, so this is safe.
-      if (origin !== viewerOrigin && protocol !== "blob:") {
+      if (fileOrigin !== viewerOrigin) {
         throw new Error("file origin does not match viewer's");
       }
     } catch (ex) {