I need help getting pdf.js to address this security issue github.com/mozilla/pdf.js. They want someone to prove that compatibility with a sane Content-Security-Policy will not significantly hurt performance. I posted a new comment with my current thoughts:
Conversation
Replying to
I don't think they're going to change their mind, and needing to maintain a patch for this downstream complicates things for me and will continue to waste time as I'll keep needing to port it to new versions. The fact they aren't testing this also means it can regress further.
1
So, I need people to help with measuring the difference between the approaches, and then come up with a more optimized implementation that's not dynamically creating arbitrary style strings. Should also add some tests using CSP to make sure it keeps working with static JS/CSS.
1
I don't think the decision making on this makes sense but it needs to be assumed that they aren't going to change their minds. In my opinion, the optimization should be rolled back due to breaking basic security hygiene and people caring about < 1% performance can redo it sanely.
1
1
I see lots of people having fun bikeshedding differences in JavaScript / CSS code styles / idioms based on performance and here's your once in a lifetime opportunity to do it for a good cause. I lack motivation to do more than complain to them so really need some help with this.
1