Sakurai/pdf.js
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Don't block origin-less blob:-URLs in hosted viewer

Browse Source
This commit is contained in:
Rob Wu 2018-02-23 12:48:52 +01:00
parent a8a7d815e7
commit a6aca3cabe
1 changed files with 5 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
web/app.js
View File

@ -1503,11 +1503,14 @@ if (typeof PDFJSDev === 'undefined' || PDFJSDev.test('GENERIC')) {
// Hosted or local viewer, allow for any file locations
return;
}
let fileOrigin = new URL(file, window.location.href).origin;
let { origin, protocol, } = new URL(file, window.location.href);
// Removing of the following line will not guarantee that the viewer will
// start accepting URLs from foreign origin -- CORS headers on the remote
// server must be properly configured.
if (fileOrigin !== viewerOrigin) {
// IE10 / IE11 does not include an origin in `blob:`-URLs. So don't block
// any blob:-URL. The browser's same-origin policy will block requests to
// blob:-URLs from other origins, so this is safe.
if (origin !== viewerOrigin && protocol !== 'blob:') {
throw new Error('file origin does not match viewer\'s');
}
} catch (ex) {