[Webkit-unassigned] [Bug 273435] PDF.js contains binary code
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue Apr 30 07:21:40 PDT 2024
https://bugs.webkit.org/show_bug.cgi?id=273435
--- Comment #3 from Michael Catanzaro <mcatanzaro at redhat.com> ---
(In reply to Michael Catanzaro from comment #0)
> I thought the above was a good plan, but then I decided to check to be sure
> there isn't more wasm binary content in pdf.js. Unfortunately there is, it's
> quickjs-eval.js which is required to implement the PDF.js subsandbox, so
> removing it would have security implications. :S I'm pretty sure it's
> unacceptable to have this in WebKit, but we might have to discuss this with
> upstream before deciding what to do. One possibility is to actually depend
> on node.js, which would be sad.
Interestingly, Firefox does not ship this binary code at all. It's in build/pdf.sandbox.mjs, but Firefox has a different file instead, pdf.sandbox.external.sys.mjs. Firefox takes the upstream releases but builds everything itself with gulp, and must be doing something differently than upstream does. So there is a path forward here, though I don't yet understand how exactly.
One non-ideal option would be to just switch to the Firefox releases, although we'll want to wait and see how Firefox chooses to handle OpenJPEG. Might be better to investigate how the Firefox build works.
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20240430/f304481d/attachment.htm>
More information about the webkit-unassigned
mailing list