Using example.com's principal to run pdf.js feels wrong. If we somehow exposed example.com to access the browsing context which has pdf.js running, example.com could get access to pdf.js internals.
Bug 1686200 Comment 3 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
Using example.com's principal to run pdf.js feels wrong. If we somehow exposed example.com to access the browsing context which has pdf.js running, example.com could get access to pdf.js internals. Even if that didn't lead to security issues, it would expose browser internal code to the web.