[Pkg-javascript-commits] [pdf.js] 01/109: [CRX] Do not load local files in non-local frames

[David Prévot]

This is an automated email from the git hooks/post-receive script.

taffit pushed a commit to branch master
in repository pdf.js.

commit 2d6b15d0d99e5af6e77916c88d04ef2d45a1afab
Author: Rob Wu <rob at robwu.nl>
Date:   Sat Jul 18 00:07:02 2015 +0200

    [CRX] Do not load local files in non-local frames
    
    Ordinarily, local files cannot be embedded in a non-local website. Until
    this commit, the extension allowed websites to embed local PDF files on
    non-local (e.g. http(s)) websites. This unintended feature is now
    disabled, to align better with Chrome's existing security policies
    (=local file:-URLs cannot be loaded in a tab unless expicitly allowed).
---
 web/chromecom.js | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/web/chromecom.js b/web/chromecom.js
index a4c9ee4..3c4a17e 100644
--- a/web/chromecom.js
+++ b/web/chromecom.js
@@ -113,6 +113,14 @@ var ChromeCom = (function ChromeComClosure() {
         });
         return;
       }
+      if (/^file?:/.test(file)) {
+        if (top !== window && !/^file:/i.test(location.ancestorOrigins[0])) {
+          PDFViewerApplication.error('Blocked ' + location.ancestorOrigins[0] +
+              ' from loading ' + file + '. Refused to load a local file in a ' +
+              ' non-local page for security reasons.');
+          return;
+        }
+      }
       PDFViewerApplication.open(file, 0);
     });
   };

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-javascript/pdf.js.git