Open maks-humeniuk opened 1 week ago
x
- [ ] Regression (a behavior that used to work and stopped working in a new release) - [ ] Bug report -> please search issues before submitting - [x] Feature request - [ ] Documentation issue or request
I'm using the library to load documents by BLOB in external viewer, which opens the document in a new browser tab. The URL then looks like this: https://localhost:4200/assets/pdfjs/web/viewer.html?file=blob%3Ahttps%3A%2F%2Flocalhost%3A4200%2F00ff689b-bfca-44d0-bea7-a8331c073397&viewerId=ng2-pdfjs-viewer-ID1&beforePrint=true&afterPrint=true&pagesLoaded=true&pageChange=true&fileName=Car%20Loan%20Agreement.pdf&openFile=true&download=true&viewBookmark=true&print=true&fullScreen=true&find=true&locale=en-GB#&page=1&errorMessage=undefined&errorAppend=true
However, nothing prevents user from changing file query parameter value to e.g. this: https://localhost:4200/assets/pdfjs/web/viewer.html?file=https://corsproxy.io/?https://appex.no/wp-content/uploads/2024/06/test-pdf.pdf
file
This exposes the app to phishing attacks.
Could I somehow prevent such behavior in any way?
Bug Report or Feature Request (mark with an
x)I'm using the library to load documents by BLOB in external viewer, which opens the document in a new browser tab. The URL then looks like this: https://localhost:4200/assets/pdfjs/web/viewer.html?file=blob%3Ahttps%3A%2F%2Flocalhost%3A4200%2F00ff689b-bfca-44d0-bea7-a8331c073397&viewerId=ng2-pdfjs-viewer-ID1&beforePrint=true&afterPrint=true&pagesLoaded=true&pageChange=true&fileName=Car%20Loan%20Agreement.pdf&openFile=true&download=true&viewBookmark=true&print=true&fullScreen=true&find=true&locale=en-GB#&page=1&errorMessage=undefined&errorAppend=true
However, nothing prevents user from changing
filequery parameter value to e.g. this: https://localhost:4200/assets/pdfjs/web/viewer.html?file=https://corsproxy.io/?https://appex.no/wp-content/uploads/2024/06/test-pdf.pdfThis exposes the app to phishing attacks.
Could I somehow prevent such behavior in any way?