Update to PDF.js 2.10.377 (!975) · Merge requests · GNOME / Epiphany

Michael Catanzaro requested to merge mcatanzaro/pdfjs-2.9.359 into master Jun 09, 2021

Original text:

This requires exempting ephy-resource:// from CORS, so that pdf.js can load its icons. Note this grants websites access to our icons, GtkBuilder UI, highlight.js, pdf.js, and readability.js. So... maybe we should not do that?

Since we have to open up a URI scheme to the entire web, with no way to restrict which pages are allowed to use it, I think we should define some new more-restricted URI scheme that grants access exclusively to PDF.js stuff. It's a shame we have no way to say "grant access to ephy-pdf-resource:// only from ephy-pdf:// or ephy-pdf-resource:// URIs."

Another reason for this to be WIP: it depends on WebKitGTK 2.33.2 for webkit_web_view_set_cors_allowlist(), and we're having trouble building 2.33.2.

CC everyone due to the above security implications that we should think about: @carlosgc @aperezdc @exalm @jbrummer

(Problems since resolved.)

Edited Aug 09, 2021 by Michael Catanzaro

Update to PDF.js 2.10.377

Merge request reports