@@ -1332,6 +1332,37 @@ window.PDFView = PDFViewerApplication; // obsolete name, using it as an alias
13321332//})();
13331333//#endif
13341334
1335+ //#if GENERIC
1336+ var HOSTED_VIEWER_ORIGINS = [ 'null' ,
1337+ 'http://mozilla.github.io' , 'https://mozilla.github.io' ] ;
1338+ function validateFileURL ( file ) {
1339+ try {
1340+ var viewerOrigin = new URL ( window . location . href ) . origin || 'null' ;
1341+ if ( HOSTED_VIEWER_ORIGINS . indexOf ( viewerOrigin ) >= 0 ) {
1342+ // Hosted or local viewer, allow for any file locations
1343+ return ;
1344+ }
1345+ var fileOrigin = new URL ( file , window . location . href ) . origin ;
1346+ // Removing of the following line will not guarantee that the viewer will
1347+ // start accepting URLs from foreign origin -- CORS headers on the remote
1348+ // server must be properly configured.
1349+ if ( fileOrigin !== viewerOrigin ) {
1350+ throw new Error ( 'file origin does not match viewer\'s' ) ;
1351+ }
1352+ } catch ( e ) {
1353+ var message = e && e . message ;
1354+ var loadingErrorMessage = mozL10n . get ( 'loading_error' , null ,
1355+ 'An error occurred while loading the PDF.' ) ;
1356+
1357+ var moreInfo = {
1358+ message : message
1359+ } ;
1360+ PDFViewerApplication . error ( loadingErrorMessage , moreInfo ) ;
1361+ throw e ;
1362+ }
1363+ }
1364+ //#endif
1365+
13351366function webViewerLoad ( evt ) {
13361367//#if !PRODUCTION
13371368 require . config ( { paths : { 'pdfjs' : '../src' } } ) ;
@@ -1351,6 +1382,7 @@ function webViewerInitialized() {
13511382 var queryString = document . location . search . substring ( 1 ) ;
13521383 var params = parseQueryString ( queryString ) ;
13531384 var file = 'file' in params ? params . file : DEFAULT_URL ;
1385+ validateFileURL ( file ) ;
13541386//#endif
13551387//#if (FIREFOX || MOZCENTRAL)
13561388//var file = window.location.href.split('#')[0];
0 commit comments