Page 1 of 1

allowing pdf.js only

Posted: Fri May 11, 2012 10:37 pm
by demoy
I have been using noscript along side pdf.js [mozilla project - i think their calling it call pdf viewer now] and i constantly need to allow All scripts from a webpage to render pdf, so could future versions allow pdf.js execute while other scripts are disabled.

The extension [pdf.js] is located at https://addons.mozilla.org/en-US/firefox/addon/pdfjs/?src=userprofile.
thanks.

Re: allowing pdf.js only

Posted: Fri May 11, 2012 11:10 pm
by GµårÐïåñ
I found that allowing pdf.js that appears on the NS menu, or more specifically the resource://pdf.js as well as blob: was sufficient to get the thing to work. As for needing to allow the path, once I temporary allowed JUST the domain-path of the PDF file itself, it worked just fine, without having to do anything else. So not sure what issue you are having here.

Keep in mind PDF.js is a script file, so its treated as such. Which means that it is subject to the same restrictions and requirements as any other script that NS handles. I think the failure here is that they are releasing a raw script file as an addon when in fact if they incorporated it properly into an actual chrome architecture, this issue would be for all intents and purposes moot. So its about poor implementation than anything else.

Now Giorgio can hack a special arrangement for this particular item, but the fact is that there is no vouching or knowing for sure that it will always be benign or a trustworthy resource that cannot be exploited like anything else as an attack vector. So to weaken NS by allowing this special circumstance would be something that I think is not really our, specifically the NS developer, Giorgio's, responsibility but rather as a late comer to the party, THEY should make every effort to make it seamless rather than require compromise from everyone else. Just saying.

Re: allowing pdf.js only

Posted: Fri May 11, 2012 11:46 pm
by demoy
fair point, thanks

Re: allowing pdf.js only

Posted: Wed Aug 29, 2012 6:07 pm
by dhouwn

Re: allowing pdf.js only

Posted: Thu Aug 30, 2012 11:24 am
by tlu
GµårÐïåñ wrote:I found that allowing pdf.js that appears on the NS menu, or more specifically the resource://pdf.js as well as blob: was sufficient to get the thing to work.


Hm, I tried that but didn't succeed with NS 2.5.3rc4 and FF 16 :( Is there anything else to consider or has something changed in the meantime?



Ah - I see. Should be https://github.com/mozilla/pdf.js/pull/1943

Re: allowing pdf.js only

Posted: Tue Sep 04, 2012 10:36 pm
by GµårÐïåñ
Not that I am aware of. I just tried before posting this with a random PDF (http://samplepdf.com/sample.pdf) and without even allowing the domain and just the script and blob allowed, it showed up, didn't even have to allow samplepdf.com

Re: allowing pdf.js only

Posted: Wed Sep 05, 2012 11:44 am
by tlu
GµårÐïåñ wrote:Not that I am aware of. I just tried before posting this with a random PDF (http://samplepdf.com/sample.pdf) and without even allowing the domain and just the script and blob allowed, it showed up, didn't even have to allow samplepdf.com


Okay, thanks. I just noticed that it works with FF 17 as mentioned by dhouwn.

Re: allowing pdf.js only

Posted: Sat Sep 08, 2012 7:01 pm
by GµårÐïåñ
No problem 8-)