diff --git a/bower.json b/bower.json index 668b730b8..b83cdef86 100644 --- a/bower.json +++ b/bower.json @@ -1,6 +1,6 @@ { "name": "pdfjs-dist", - "version": "1.4.21", + "version": "1.4.23", "main": [ "build/pdf.js", "build/pdf.worker.js" diff --git a/build/pdf.combined.js b/build/pdf.combined.js index 2c5666b00..4774acef9 100644 --- a/build/pdf.combined.js +++ b/build/pdf.combined.js @@ -28,8 +28,8 @@ factory((root.pdfjsDistBuildPdfCombined = {})); // Use strict in our context only - users might not want it 'use strict'; -var pdfjsVersion = '1.4.21'; -var pdfjsBuild = 'e44dada'; +var pdfjsVersion = '1.4.23'; +var pdfjsBuild = '252b9d5'; var pdfjsFilePath = typeof document !== 'undefined' && document.currentScript ? @@ -9781,6 +9781,21 @@ function combineUrl(baseUrl, url) { return new URL(url, baseUrl).href; } +// Checks if URLs have the same origin. For non-HTTP based URLs, returns false. +function isSameOrigin(baseUrl, otherUrl) { + try { + var base = new URL(baseUrl); + if (!base.origin || base.origin === 'null') { + return false; // non-HTTP url + } + } catch (e) { + return false; + } + + var other = new URL(otherUrl, base); + return base.origin === other.origin; +} + // Validates if URL is safe and allowed, e.g. to avoid XSS. function isValidUrl(url, allowRelative) { if (!url) { @@ -11825,6 +11840,7 @@ exports.isExternalLinkTargetSet = isExternalLinkTargetSet; exports.isInt = isInt; exports.isNum = isNum; exports.isString = isString; +exports.isSameOrigin = isSameOrigin; exports.isValidUrl = isValidUrl; exports.addLinkAttributes = addLinkAttributes; exports.loadJpegStream = loadJpegStream; @@ -31178,6 +31194,7 @@ var error = sharedUtil.error; var deprecated = sharedUtil.deprecated; var info = sharedUtil.info; var isArrayBuffer = sharedUtil.isArrayBuffer; +var isSameOrigin = sharedUtil.isSameOrigin; var loadJpegStream = sharedUtil.loadJpegStream; var stringToBytes = sharedUtil.stringToBytes; var warn = sharedUtil.warn; @@ -32334,6 +32351,14 @@ var PDFWorker = (function PDFWorkerClosure() { return PDFJS.fakeWorkerFilesLoadedCapability.promise; } + function createCDNWrapper(url) { + // We will rely on blob URL's property to specify origin. + // We want this function to fail in case if createObjectURL or Blob do not + // exist or fail for some reason -- our Worker creation will fail anyway. + var wrapper = 'importScripts(\'' + url + '\');'; + return URL.createObjectURL(new Blob([wrapper])); + } + function PDFWorker(name) { this.name = name; this.destroyed = false; diff --git a/build/pdf.js b/build/pdf.js index 5c116fe3c..fc9d6cf53 100644 --- a/build/pdf.js +++ b/build/pdf.js @@ -28,8 +28,8 @@ factory((root.pdfjsDistBuildPdf = {})); // Use strict in our context only - users might not want it 'use strict'; -var pdfjsVersion = '1.4.21'; -var pdfjsBuild = 'e44dada'; +var pdfjsVersion = '1.4.23'; +var pdfjsBuild = '252b9d5'; var pdfjsFilePath = typeof document !== 'undefined' && document.currentScript ? @@ -416,6 +416,21 @@ function combineUrl(baseUrl, url) { return new URL(url, baseUrl).href; } +// Checks if URLs have the same origin. For non-HTTP based URLs, returns false. +function isSameOrigin(baseUrl, otherUrl) { + try { + var base = new URL(baseUrl); + if (!base.origin || base.origin === 'null') { + return false; // non-HTTP url + } + } catch (e) { + return false; + } + + var other = new URL(otherUrl, base); + return base.origin === other.origin; +} + // Validates if URL is safe and allowed, e.g. to avoid XSS. function isValidUrl(url, allowRelative) { if (!url) { @@ -2460,6 +2475,7 @@ exports.isExternalLinkTargetSet = isExternalLinkTargetSet; exports.isInt = isInt; exports.isNum = isNum; exports.isString = isString; +exports.isSameOrigin = isSameOrigin; exports.isValidUrl = isValidUrl; exports.addLinkAttributes = addLinkAttributes; exports.loadJpegStream = loadJpegStream; @@ -8244,6 +8260,7 @@ var error = sharedUtil.error; var deprecated = sharedUtil.deprecated; var info = sharedUtil.info; var isArrayBuffer = sharedUtil.isArrayBuffer; +var isSameOrigin = sharedUtil.isSameOrigin; var loadJpegStream = sharedUtil.loadJpegStream; var stringToBytes = sharedUtil.stringToBytes; var warn = sharedUtil.warn; @@ -9434,6 +9451,14 @@ var PDFWorker = (function PDFWorkerClosure() { return PDFJS.fakeWorkerFilesLoadedCapability.promise; } + function createCDNWrapper(url) { + // We will rely on blob URL's property to specify origin. + // We want this function to fail in case if createObjectURL or Blob do not + // exist or fail for some reason -- our Worker creation will fail anyway. + var wrapper = 'importScripts(\'' + url + '\');'; + return URL.createObjectURL(new Blob([wrapper])); + } + function PDFWorker(name) { this.name = name; this.destroyed = false; @@ -9468,6 +9493,12 @@ var PDFWorker = (function PDFWorkerClosure() { var workerSrc = getWorkerSrc(); try { + // Wraps workerSrc path into blob URL, if the former does not belong + // to the same origin. + if (!isSameOrigin(window.location.href, workerSrc)) { + workerSrc = createCDNWrapper( + combineUrl(window.location.href, workerSrc)); + } // Some versions of FF can't create a worker on localhost, see: // https://bugzilla.mozilla.org/show_bug.cgi?id=683280 var worker = new Worker(workerSrc); diff --git a/build/pdf.worker.js b/build/pdf.worker.js index 6ddf2af3f..8b3cbfe2f 100644 --- a/build/pdf.worker.js +++ b/build/pdf.worker.js @@ -28,8 +28,8 @@ factory((root.pdfjsDistBuildPdfWorker = {})); // Use strict in our context only - users might not want it 'use strict'; -var pdfjsVersion = '1.4.21'; -var pdfjsBuild = 'e44dada'; +var pdfjsVersion = '1.4.23'; +var pdfjsBuild = '252b9d5'; var pdfjsFilePath = typeof document !== 'undefined' && document.currentScript ? @@ -9713,6 +9713,21 @@ function combineUrl(baseUrl, url) { return new URL(url, baseUrl).href; } +// Checks if URLs have the same origin. For non-HTTP based URLs, returns false. +function isSameOrigin(baseUrl, otherUrl) { + try { + var base = new URL(baseUrl); + if (!base.origin || base.origin === 'null') { + return false; // non-HTTP url + } + } catch (e) { + return false; + } + + var other = new URL(otherUrl, base); + return base.origin === other.origin; +} + // Validates if URL is safe and allowed, e.g. to avoid XSS. function isValidUrl(url, allowRelative) { if (!url) { @@ -11757,6 +11772,7 @@ exports.isExternalLinkTargetSet = isExternalLinkTargetSet; exports.isInt = isInt; exports.isNum = isNum; exports.isString = isString; +exports.isSameOrigin = isSameOrigin; exports.isValidUrl = isValidUrl; exports.addLinkAttributes = addLinkAttributes; exports.loadJpegStream = loadJpegStream; diff --git a/package.json b/package.json index 452f4446f..df24af4cc 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "pdfjs-dist", - "version": "1.4.21", + "version": "1.4.23", "main": "build/pdf.js", "description": "Generic build of Mozilla's PDF.js library.", "keywords": [