[Webkit-unassigned] [Bug 251887] PDF.js viewer may be blocked by CORS
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Feb 14 13:23:36 PST 2023
https://bugs.webkit.org/show_bug.cgi?id=251887
--- Comment #3 from Michael Catanzaro <mcatanzaro at gnome.org> ---
The failing check is in canAccessDocument in JSDOMBindingSecurity.cpp:
active.document()->securityOrigin().isSameOriginDomain(targetDocument->securityOrigin())
Here the current document's origin is webkit-pdfjs-viewer://pdfjs while the target document's origin is https://dor.mo.gov (in the example from the first comment). The check always fails when loading any PDF document, but it only sometimes results in failure to display the document.
I guess expected behavior is for webkit-pdfjs-viewer:// to be treated as internal and have superpower to access all domains. (This is how the obsoleted ephy-pdf-viewer:// worked.)
If I try with 2.38.3, then the same check never fails, so something regressed. I'll attempt to bisect it.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20230214/bb4ea9e6/attachment.htm>
More information about the webkit-unassigned
mailing list