Sakurai/pdf.js
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #14559 from Snuffleupagus/revert-9505

Browse Source 
Revert "Don't block origin-less blob:-URLs in hosted viewer"
This commit is contained in:
Tim van der Meij 2022-02-13 14:10:22 +01:00 committed by GitHub
commit 78246719f8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 2 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
web/app.js
View File

@ -2127,14 +2127,11 @@ if (typeof PDFJSDev === "undefined" || PDFJSDev.test("GENERIC")) {
// Hosted or local viewer, allow for any file locations // Hosted or local viewer, allow for any file locations
return; return;
} }
const { origin, protocol } = new URL(file, window.location.href); const fileOrigin = new URL(file, window.location.href).origin;
// Removing of the following line will not guarantee that the viewer will // Removing of the following line will not guarantee that the viewer will
// start accepting URLs from foreign origin -- CORS headers on the remote // start accepting URLs from foreign origin -- CORS headers on the remote
// server must be properly configured. // server must be properly configured.
// IE10 / IE11 does not include an origin in `blob:`-URLs. So don't block if (fileOrigin !== viewerOrigin) {
// any blob:-URL. The browser's same-origin policy will block requests to
// blob:-URLs from other origins, so this is safe.
if (origin !== viewerOrigin && protocol !== "blob:") {
throw new Error("file origin does not match viewer's"); throw new Error("file origin does not match viewer's");
} }
} catch (ex) { } catch (ex) {