|
|
@@ -28,8 +28,8 @@ factory((root.pdfjsDistBuildPdf = {}));
|
|
|
// Use strict in our context only - users might not want it
|
|
|
'use strict';
|
|
|
|
|
|
-var pdfjsVersion = '1.4.21';
|
|
|
-var pdfjsBuild = 'e44dada';
|
|
|
+var pdfjsVersion = '1.4.23';
|
|
|
+var pdfjsBuild = '252b9d5';
|
|
|
|
|
|
var pdfjsFilePath =
|
|
|
typeof document !== 'undefined' && document.currentScript ?
|
|
|
@@ -416,6 +416,21 @@ function combineUrl(baseUrl, url) {
|
|
|
return new URL(url, baseUrl).href;
|
|
|
}
|
|
|
|
|
|
+// Checks if URLs have the same origin. For non-HTTP based URLs, returns false.
|
|
|
+function isSameOrigin(baseUrl, otherUrl) {
|
|
|
+ try {
|
|
|
+ var base = new URL(baseUrl);
|
|
|
+ if (!base.origin || base.origin === 'null') {
|
|
|
+ return false; // non-HTTP url
|
|
|
+ }
|
|
|
+ } catch (e) {
|
|
|
+ return false;
|
|
|
+ }
|
|
|
+
|
|
|
+ var other = new URL(otherUrl, base);
|
|
|
+ return base.origin === other.origin;
|
|
|
+}
|
|
|
+
|
|
|
// Validates if URL is safe and allowed, e.g. to avoid XSS.
|
|
|
function isValidUrl(url, allowRelative) {
|
|
|
if (!url) {
|
|
|
@@ -2460,6 +2475,7 @@ exports.isExternalLinkTargetSet = isExternalLinkTargetSet;
|
|
|
exports.isInt = isInt;
|
|
|
exports.isNum = isNum;
|
|
|
exports.isString = isString;
|
|
|
+exports.isSameOrigin = isSameOrigin;
|
|
|
exports.isValidUrl = isValidUrl;
|
|
|
exports.addLinkAttributes = addLinkAttributes;
|
|
|
exports.loadJpegStream = loadJpegStream;
|
|
|
@@ -8244,6 +8260,7 @@ var error = sharedUtil.error;
|
|
|
var deprecated = sharedUtil.deprecated;
|
|
|
var info = sharedUtil.info;
|
|
|
var isArrayBuffer = sharedUtil.isArrayBuffer;
|
|
|
+var isSameOrigin = sharedUtil.isSameOrigin;
|
|
|
var loadJpegStream = sharedUtil.loadJpegStream;
|
|
|
var stringToBytes = sharedUtil.stringToBytes;
|
|
|
var warn = sharedUtil.warn;
|
|
|
@@ -9434,6 +9451,14 @@ var PDFWorker = (function PDFWorkerClosure() {
|
|
|
return PDFJS.fakeWorkerFilesLoadedCapability.promise;
|
|
|
}
|
|
|
|
|
|
+ function createCDNWrapper(url) {
|
|
|
+ // We will rely on blob URL's property to specify origin.
|
|
|
+ // We want this function to fail in case if createObjectURL or Blob do not
|
|
|
+ // exist or fail for some reason -- our Worker creation will fail anyway.
|
|
|
+ var wrapper = 'importScripts(\'' + url + '\');';
|
|
|
+ return URL.createObjectURL(new Blob([wrapper]));
|
|
|
+ }
|
|
|
+
|
|
|
function PDFWorker(name) {
|
|
|
this.name = name;
|
|
|
this.destroyed = false;
|
|
|
@@ -9468,6 +9493,12 @@ var PDFWorker = (function PDFWorkerClosure() {
|
|
|
var workerSrc = getWorkerSrc();
|
|
|
|
|
|
try {
|
|
|
+ // Wraps workerSrc path into blob URL, if the former does not belong
|
|
|
+ // to the same origin.
|
|
|
+ if (!isSameOrigin(window.location.href, workerSrc)) {
|
|
|
+ workerSrc = createCDNWrapper(
|
|
|
+ combineUrl(window.location.href, workerSrc));
|
|
|
+ }
|
|
|
// Some versions of FF can't create a worker on localhost, see:
|
|
|
// https://bugzilla.mozilla.org/show_bug.cgi?id=683280
|
|
|
var worker = new Worker(workerSrc);
|
Pdf Bot