Sakurai/pdf.js
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

[security] Verify message source in Firefox add-on

Browse Source 
And put initPassiveLoading within a preprocessor block because
it is only used by Firefox.
This commit is contained in:
Rob Wu 2014-01-26 12:55:48 +01:00
parent 520fdf2f6a
commit 7bbff32a4d
1 changed files with 7 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
web/viewer.js
View File

@ -446,6 +446,7 @@ var PDFView = {
(this.container.scrollWidth > this.container.clientWidth)); (this.container.scrollWidth > this.container.clientWidth));
}, },
//#if (FIREFOX || MOZCENTRAL)
initPassiveLoading: function pdfViewInitPassiveLoading() { initPassiveLoading: function pdfViewInitPassiveLoading() {
var pdfDataRangeTransport = { var pdfDataRangeTransport = {
rangeListeners: [], rangeListeners: [],
@ -482,6 +483,11 @@ var PDFView = {
}; };
window.addEventListener('message', function windowMessage(e) { window.addEventListener('message', function windowMessage(e) {
if (e.source !== null) {
// The message MUST originate from Chrome code.
console.warn('Rejected untrusted message from ' + e.origin);
return;
}
var args = e.data; var args = e.data;
if (typeof args !== 'object' || !('pdfjsLoadAction' in args)) if (typeof args !== 'object' || !('pdfjsLoadAction' in args))
@ -514,6 +520,7 @@ var PDFView = {
}); });
FirefoxCom.requestSync('initPassiveLoading', null); FirefoxCom.requestSync('initPassiveLoading', null);
}, },
//#endif
setTitleUsingUrl: function pdfViewSetTitleUsingUrl(url) { setTitleUsingUrl: function pdfViewSetTitleUsingUrl(url) {
this.url = url; this.url = url;