From 7c89bdc8d673ea347e5faa02155e6b401b135420 Mon Sep 17 00:00:00 2001 From: Yury Delendik Date: Fri, 22 Jan 2016 11:54:19 -0600 Subject: [PATCH] Allow foriegn origin URLs only for hosted viewers. --- web/viewer.js | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/web/viewer.js b/web/viewer.js index c56aff64b3953..dc748025f822d 100644 --- a/web/viewer.js +++ b/web/viewer.js @@ -1332,6 +1332,37 @@ window.PDFView = PDFViewerApplication; // obsolete name, using it as an alias //})(); //#endif +//#if GENERIC +var HOSTED_VIEWER_ORIGINS = ['null', + 'http://mozilla.github.io', 'https://mozilla.github.io']; +function validateFileURL(file) { + try { + var viewerOrigin = new URL(window.location.href).origin || 'null'; + if (HOSTED_VIEWER_ORIGINS.indexOf(viewerOrigin) >= 0) { + // Hosted or local viewer, allow for any file locations + return; + } + var fileOrigin = new URL(file, window.location.href).origin; + // Removing of the following line will not guarantee that the viewer will + // start accepting URLs from foreign origin -- CORS headers on the remote + // server must be properly configured. + if (fileOrigin !== viewerOrigin) { + throw new Error('file origin does not match viewer\'s'); + } + } catch (e) { + var message = e && e.message; + var loadingErrorMessage = mozL10n.get('loading_error', null, + 'An error occurred while loading the PDF.'); + + var moreInfo = { + message: message + }; + PDFViewerApplication.error(loadingErrorMessage, moreInfo); + throw e; + } +} +//#endif + function webViewerLoad(evt) { //#if !PRODUCTION require.config({paths: {'pdfjs': '../src'}}); @@ -1351,6 +1382,7 @@ function webViewerInitialized() { var queryString = document.location.search.substring(1); var params = parseQueryString(queryString); var file = 'file' in params ? params.file : DEFAULT_URL; + validateFileURL(file); //#endif //#if (FIREFOX || MOZCENTRAL) //var file = window.location.href.split('#')[0];