Open maks-humeniuk opened 1 week ago
x
- [ ] Regression (a behavior that used to work and stopped working in a new release) - [ ] Bug report -> please search issues before submitting - [x] Feature request - [ ] Documentation issue or request
I'm using the library to load documents by BLOB in external viewer, which opens the document in a new browser tab. The URL then looks like this: https://localhost:4200/assets/pdfjs/web/viewer.html?file=blob%3Ahttps%3A%2F%2Flocalhost%3A4200%2F00ff689b-bfca-44d0-bea7-a8331c073397&viewerId=ng2-pdfjs-viewer-ID1&beforePrint=true&afterPrint=true&pagesLoaded=true&pageChange=true&fileName=Car%20Loan%20Agreement.pdf&openFile=true&download=true&viewBookmark=true&print=true&fullScreen=true&find=true&locale=en-GB#&page=1&errorMessage=undefined&errorAppend=true
However, nothing prevents user from changing file query parameter value to e.g. this: https://localhost:4200/assets/pdfjs/web/viewer.html?file=https://corsproxy.io/?https://appex.no/wp-content/uploads/2024/06/test-pdf.pdf
file
This exposes the app to phishing attacks.
Could I somehow prevent such behavior in any way?
Bug Report or Feature Request (mark with an
x
)I'm using the library to load documents by BLOB in external viewer, which opens the document in a new browser tab. The URL then looks like this: https://localhost:4200/assets/pdfjs/web/viewer.html?file=blob%3Ahttps%3A%2F%2Flocalhost%3A4200%2F00ff689b-bfca-44d0-bea7-a8331c073397&viewerId=ng2-pdfjs-viewer-ID1&beforePrint=true&afterPrint=true&pagesLoaded=true&pageChange=true&fileName=Car%20Loan%20Agreement.pdf&openFile=true&download=true&viewBookmark=true&print=true&fullScreen=true&find=true&locale=en-GB#&page=1&errorMessage=undefined&errorAppend=true
However, nothing prevents user from changing
file
query parameter value to e.g. this: https://localhost:4200/assets/pdfjs/web/viewer.html?file=https://corsproxy.io/?https://appex.no/wp-content/uploads/2024/06/test-pdf.pdfThis exposes the app to phishing attacks.
Could I somehow prevent such behavior in any way?