From a6aca3cabe581319d93c862cb0b85f71580cacfd Mon Sep 17 00:00:00 2001
From: Rob Wu <rob@robwu.nl>
Date: Fri, 23 Feb 2018 12:48:52 +0100
Subject: [PATCH] Don't block origin-less blob:-URLs in hosted viewer

---
 web/app.js | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/web/app.js b/web/app.js
index f78bee346e6ab..23f00ce8ed8a1 100644
--- a/web/app.js
+++ b/web/app.js
@@ -1503,11 +1503,14 @@ if (typeof PDFJSDev === 'undefined' || PDFJSDev.test('GENERIC')) {
         // Hosted or local viewer, allow for any file locations
         return;
       }
-      let fileOrigin = new URL(file, window.location.href).origin;
+      let { origin, protocol, } = new URL(file, window.location.href);
       // Removing of the following line will not guarantee that the viewer will
       // start accepting URLs from foreign origin -- CORS headers on the remote
       // server must be properly configured.
-      if (fileOrigin !== viewerOrigin) {
+      // IE10 / IE11 does not include an origin in `blob:`-URLs. So don't block
+      // any blob:-URL. The browser's same-origin policy will block requests to
+      // blob:-URLs from other origins, so this is safe.
+      if (origin !== viewerOrigin && protocol !== 'blob:') {
         throw new Error('file origin does not match viewer\'s');
       }
     } catch (ex) {