Merge pull request #9505 from Rob--W/hosted-viewer-blob-url

Don't block origin-less blob:-URLs in hosted viewer
mozilla · Feb 23, 2018 · 5f98f9b · 5f98f9b
2 parents a8a7d81 + a6aca3c
commit 5f98f9b
Showing 1 changed file with 5 additions and 2 deletions.
diff --git a/web/app.js b/web/app.js
@@ -1503,11 +1503,14 @@ if (typeof PDFJSDev === 'undefined' || PDFJSDev.test('GENERIC')) {
         // Hosted or local viewer, allow for any file locations
         return;
       }
-      let fileOrigin = new URL(file, window.location.href).origin;
+      let { origin, protocol, } = new URL(file, window.location.href);
       // Removing of the following line will not guarantee that the viewer will
       // start accepting URLs from foreign origin -- CORS headers on the remote
       // server must be properly configured.
-      if (fileOrigin !== viewerOrigin) {
+      // IE10 / IE11 does not include an origin in `blob:`-URLs. So don't block
+      // any blob:-URL. The browser's same-origin policy will block requests to
+      // blob:-URLs from other origins, so this is safe.
+      if (origin !== viewerOrigin && protocol !== 'blob:') {
         throw new Error('file origin does not match viewer\'s');
       }
     } catch (ex) {