Conversation
pdf.js 2.2.228 (current stable release) is broken with a proper Content-Security-Policy due to a hack in an indirect dependency:
github.com/mozilla/pdf.js
The hack attempting dynamic code evaluation is triggered by "use strict" which can be considered a security feature too.
1
6
They use Babel to compile modern JavaScript to legacy JavaScript for supporting legacy browsers and it results in a bunch of nonsense like this. So, due to legacy browser support, anyone deploying it in a secure environment cannot update to the current stable release of pdf.js.
1
3
Anyway, skipping this version upgrade. It's far more important to run it in an environment with dynamic scripts and styles disabled (along with network access and any file / content access) than it is to keep it updated. Would appreciate if people stepped up to get this resolved.
1
3
It appears that a good solution would be creating an alternate pdf.js build target for evergreen browsers (i.e. latest stable releases) where Babel and a bunch of other dependencies wouldn't be required. It also really needs a test suite added for Content-Security-Policy usage.
1
1
4
Could also disable "use strict" in pdf.js for the time being to avoid this hack, but I'd much rather have a build target avoiding Babel and a bunch of other dependencies. It's too much of a mess and I'm sure these continued issues with CSP will keep coming up again and again.