Commit 7db15759 authored by Richard Pospesel's avatar Richard Pospesel Committed by Georg Koppen
Browse files

Bug 15599: Range requests used by pdfjs are not isolated to URL bar domain

After much debugging and investigation, it seems that the required
information needed to drive the first-party domain cannot be accessed in
the XmlHttpRequest creation path.  The JS context the part of pdf.js making
the range requests runs with does not have a reference to parent window and
associated LoadInfo information (which includes the requesting first-party
domain).

To fix the issue, we can easily disable support for range-based requests
via the pdfjs.disableRange property.  However, the side-effect here is
that pages can not be read as they load; the entire pdf must be
downloaded before it can be read and interacted with.

This patch updates each platforms extension-overrides.js to change this
pref.
parent 79538fbf
......@@ -56,3 +56,7 @@ pref("noscript.restrictSubdocScripting", true);
pref("noscript.showVolatilePrivatePermissionsToggle", false);
pref("noscript.volatilePrivatePermissions", true);
pref("noscript.clearClick", 0);
# PDF.js
// needs to be a user_pref because pdf.js blows away non-user prefs with it's own defaults each time
user_pref("pdfjs.disableRange", true);
......@@ -56,3 +56,7 @@ pref("noscript.restrictSubdocScripting", true);
pref("noscript.showVolatilePrivatePermissionsToggle", false);
pref("noscript.volatilePrivatePermissions", true);
pref("noscript.clearClick", 0);
# PDF.js
// needs to be a user_pref because pdf.js blows away non-user prefs with it's own defaults each time
user_pref("pdfjs.disableRange", true);
......@@ -56,3 +56,7 @@ pref("noscript.restrictSubdocScripting", true);
pref("noscript.showVolatilePrivatePermissionsToggle", false);
pref("noscript.volatilePrivatePermissions", true);
pref("noscript.clearClick", 0);
# PDF.js
// needs to be a user_pref because pdf.js blows away non-user prefs with it's own defaults each time
user_pref("pdfjs.disableRange", true);
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment