Since https://hg.mozilla.org/mozilla-central/rev/676c6c0096af#l3.12, PDF.js started to use `resource://pdf.js` instead of `*` to avoid bug 1449898. A consequence of this is that whenever the PDF viewer is opened in a tab with origin attributes (e.g. a private browsing window), that a non-actionable error message is printed to the console. STR: 1. Open any PDF file in a private browsing window. 2. Open the browser console for that tab. Expected: - No errors. Actual: - > Attempting to post a message to window with url "resource://pdf.js/web/viewer.html" and origin "resource://pdf.js^privateBrowsingId=1" from a system principal scope with mismatched origin "[System Principal]". - Fortunately, this is just an error message, the functionality works as intended The error message was introduced in https://hg.mozilla.org/mozilla-central/rev/d74bafb4a41e96ee48b41ded94b7c17a6403a4d6 There are currently no reasonable alternatives to get rid of the error. The following are available but have disadvantages: - Using `*` instead of the explicit origin would introduce a security regression (bug 1449898). - Using `domWindow.wrappedJSObject.postMessage` instead of `domWindow.postMessage` would result get rid of the error, but the source origin would no longer be considered chrome-privileged (i.e. `event.source` becomes non-null, and the message is rejected) (not to mention that `postMessage` method would be from a relatively untrusted context). Since the error is not actionable, I suggest to remove it as the simplest solution. If the error is desirable, then a way to allow callers to avoid the error is to update the `postMessage` method to accept a (`ChromeOnly`) option to specify the expected origin attributes/principal for the target window (e.g. via a new property in the [`WindowPostMessageOptions`](https://searchfox.org/mozilla-central/rev/a0ccd492719b1ad2106f6456549be62a76f45acb/dom/webidl/Window.webidl#800-802) dictionary for `window.postMessage`).
Bug 1685092 Comment 0 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
Since https://hg.mozilla.org/mozilla-central/rev/676c6c0096af#l3.12, PDF.js started to use `resource://pdf.js` instead of `*` to avoid bug 1449898. A consequence of this is that whenever the PDF viewer is opened in a tab with origin attributes (e.g. a private browsing window), that a non-actionable error message is printed to the console. STR: 1. Open any PDF file in a private browsing window. 2. Open the content browser console for that tab (or the global browser console). Expected: - No errors. Actual: - > Attempting to post a message to window with url "resource://pdf.js/web/viewer.html" and origin "resource://pdf.js^privateBrowsingId=1" from a system principal scope with mismatched origin "[System Principal]". - Fortunately, this is just an error message, the functionality works as intended The error message was introduced in https://hg.mozilla.org/mozilla-central/rev/d74bafb4a41e96ee48b41ded94b7c17a6403a4d6 There are currently no reasonable alternatives to get rid of the error. The following are available but have disadvantages: - Using `*` instead of the explicit origin would introduce a security regression (bug 1449898). - Using `domWindow.wrappedJSObject.postMessage` instead of `domWindow.postMessage` would result get rid of the error, but the source origin would no longer be considered chrome-privileged (i.e. `event.source` becomes non-null, and the message is rejected) (not to mention that `postMessage` method would be from a relatively untrusted context). Since the error is not actionable, I suggest to remove it as the simplest solution. If the error is desirable, then a way to allow callers to avoid the error is to update the `postMessage` method to accept a (`ChromeOnly`) option to specify the expected origin attributes/principal for the target window (e.g. via a new property in the [`WindowPostMessageOptions`](https://searchfox.org/mozilla-central/rev/a0ccd492719b1ad2106f6456549be62a76f45acb/dom/webidl/Window.webidl#800-802) dictionary for `window.postMessage`).