InformAction Forums

Right.
Only if you use a plugin that opens a PDF embedded within the browser window.

Just to be clear, when we click a link to a PDF document we've got 3 possible scenarios:

1. No PDF-handling software is installed and the Firefox version we're using does not contain PDF.js: in this case, the PDF is treated as unknown content and you're either asked to install a plugin or to download the file, depending on the content-disposition HTTP header.
2. The PDF handling software we've got installed offers a browser plugin and we've not disabled it, plus there's no PDF.js or PDF.js is disabled: in this case (the most common up now), the PDF file is plugin content an blocked by NoScript, with placeholder.
3. The installed PDF software has no browser plugin, or we disabled/uninstalled it: in this case, if we configured Firefox to handle the PDF content type through the external program, it will be passed to it, otherwise we will be asked for plugin installation or the content will be passed to PDF.js for processing (if enabled).

Hence, PDF files are treated as plugin content and blocked by NoScript only in case #2, when the first processing choice is actually a browser plugin.

1. Correct.
3. Assume correct, though I didn't actually try it.

> 2. The PDF handling software we've got installed offers a browser plugin and we've not
> disabled it, plus there's no PDF.js or PDF.js is disabled: in this case (the most common
> up now), the PDF file is plugin content an blocked by NoScript, with placeholder.

That is correct, except there is no longer any placeholder in Aurora (or Nightly).
(Placeholder displays in FF 18 Release. Also when I split the tab, pictured page before, then too did the placeholder display - even in Aurora.)


Tab Split, Vertical:

Fixed in latest development build 2.6.4.4rc3, thanks.

Glad we got that cleared up; that therube's issue was fixed; and that I wasn't too far off the mark.

However, still a bit unclear in my case. Win XP, my Fx 18.x is PortableEdition, and Foxit Reader is the default and *only* pdf reader on the system.
As therube said, about:config pdfjs.disabled defaults to "true" -- but I can't find any such file in the portable edition. Perhaps they omitted it?

Foxit reader has no apparent "plug-in" options. Fx Options > Applications added .pdf only sometime fairly recently, IIRC; in F2 and F3 it wasn't there.
Yet despite no choice in F2-3, and default "always ask" in F18, it is not (case #1) "treated as unknown content and you're either asked to install a plugin or to download the file, depending on the content-disposition HTTP header"; rather, a normal "Open? Save? Cancel?" box appears, allowing it to be opened directly, albeit not embedded in the web page.

So I have case #3, "The installed PDF software has no browser plugin... in this case, if we configured Firefox to handle the PDF content type through the external program..." (I didn't, but Fx was smart enough to figure it out for itself) "...it will be passed to it..."
Which seems to be exactly what happens, thus confirming therube's question regarding case #3.

Correct?

Sorry this got so confusing, but it was good to publicize these three completely different use cases.
Thanks for your time, Giorgio.

That's got it, thanks .


> Fx 18.x

To begin with, FF 18 was not affected.

> pdfjs.disabled defaults to "true" -- but I can't find any such file in the portable edition

Not sure what "file" you are looking for? pdfjs is not (no longer is) a separate extension, but (now) part & parcel of FF.

Within omni.ja you will find stuff like: > Foxit reader has no apparent "plug-in" options.

Yes it does, npFoxitReaderPlugin.dll, though I have never used it.
(I do have the Adobe Acrobat Reader plugin, nppdf32.dll.
Oh, options, I wouldn't have a clue.

PS: Older Foxit's have vulnerabilities, so you should update to the most recent, 5.4.5.114, last I checked. Also beware of "goodies" in the EXE version.


3. Helper Applications also plays into it. You can have pdfjs enabled, & Helper Applications set to "Use Adobe Reader", in which case it would do so (opening externally). Likewise even if Adobe Acrobat Reader plugin is left enabled, Helper Applications will still determine how PDFs are opened. If "Use Adobe Acrobat (in Firefox)" is selected, it will override both pdfjs & opening externally in Adobe Acrobat Reader.

So it looks like Help Applications has the controlling role in what happens.

therube wrote: > Fx 18.x

To begin with, FF 18 was not affected.

Sorry I missed that.

> pdfjs.disabled defaults to "true" -- but I can't find any such file in the portable edition

Not sure what "file" you are looking for? pdfjs is not (no longer is) a separate extension, but (now) part & parcel of FF.

Thanks.

> Foxit reader has no apparent "plug-in" options.

Yes it does, npFoxitReaderPlugin.dll, though I have never used it.

Perhaps the older versions did not. I can't find any such file on my system.

PS: Older Foxit's have vulnerabilities, so you should update to the most recent, 5.4.5.114, last I checked. Also beware of "goodies" in the EXE version.

The best *non*-vulnerability in Foxit 2.0 is the complete lack of native support for *any* executable content, including JS. Theoretically, making any vulns much harder to exploit, if they can at all.

Footprint of v2 < 4 MB. I understand that the footprint of the latest version is about 45-50 MB. They have a long way to go to catch up to Adobe, but it looks like they're trying.
Larger size = larger attack surface. More code = more room for coding errors and insecure code. IMHO. YMMV.

3. Helper Applications also plays into it. ...So it looks like Help Applications has the controlling role in what happens.

I presume you mean the NS Options > Applications box. Never bothered with it, having only one pdf reader and pdfjs default-disabled.