Conversation
pdf.js 2.2.228 (current stable release) is broken with a proper Content-Security-Policy due to a hack in an indirect dependency:
github.com/mozilla/pdf.js
The hack attempting dynamic code evaluation is triggered by "use strict" which can be considered a security feature too.
1
6
They use Babel to compile modern JavaScript to legacy JavaScript for supporting legacy browsers and it results in a bunch of nonsense like this. So, due to legacy browser support, anyone deploying it in a secure environment cannot update to the current stable release of pdf.js.
Replying to
Anyway, skipping this version upgrade. It's far more important to run it in an environment with dynamic scripts and styles disabled (along with network access and any file / content access) than it is to keep it updated. Would appreciate if people stepped up to get this resolved.
1
3
It appears that a good solution would be creating an alternate pdf.js build target for evergreen browsers (i.e. latest stable releases) where Babel and a bunch of other dependencies wouldn't be required. It also really needs a test suite added for Content-Security-Policy usage.
1
1
4
Could also disable "use strict" in pdf.js for the time being to avoid this hack, but I'd much rather have a build target avoiding Babel and a bunch of other dependencies. It's too much of a mess and I'm sure these continued issues with CSP will keep coming up again and again.
3