Closed Bug 1376151 Opened 8 years ago Closed 8 years ago

Firefox treats pdf content sent inline in iframe as cross origin, when it is not.

Categories

(Core :: DOM: Security, defect)

Product:
Core
Component:
DOM: Security
Version:
54 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: donotspam, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:54.0) Gecko/20100101 Firefox/54.0 Build ID: 20170612122310 Steps to reproduce: Serve a.php from https a.php contains an iframe src=b.php b.php: - writes text content from database into html file using file_put_contents() - calls wkhtmltopdf to create a pdf from the html file - sets headers: header('Content-type: application/pdf'); header('Content-Disposition: inline; filename="' . $filename . '.pdf"'); header('Content-Transfer-Encoding: binary'); header('Content-Length: ' . filesize("$file.pdf")); header('Accept-Ranges: bytes'); - reads resulting pdf with readfile() and sends this content inline to the iframe, which is displayed using pdf.js Actual results: Cannot use document.getElementById("the_iframe_id").window.print in a.php - blocked as cross-origin when it is not. Works in chrome. Expected results: document domain appears to be undefined - it should match the domain it's served from or, some other workaround to allow this functionality.
That should have said: Cannot use document.getElementById("the_iframe_id").contentWindow.print
Component: Untriaged → DOM: Security
application/pdf is not a "native" type in Firefox. Traditionally it was handled by plugins, and you would have no access to the frame's content. pdf.js is a kind of "javascript plugin" and it's likewise a black box as far as the browser goes. Since this is non-standard it's not terribly surprising different browsers handle this differently. You could XHR the raw PDF data in Firefox, but the rendered content is not a DOM so you can't access the content in a frame using javascript. Nor is it an image type so you can't use it as the source of a canvas and read it that way. Changing this in our browser would be non-trivial at this point and really should be discussed in our forums to gain interest. It's not something we can treat as a "bug"
Severity: normal → enhancement
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → INVALID
I now see this seems to be a duplicate of https://bugzilla.mozilla.org/show_bug.cgi?id=911444 which apparently is being worked on - I had initially thought this was an https-related problem due to the way I encountered it. Hoping for a fix. Thanks
You need to log in before you can comment on or make changes to this bug.