task-ELEMENTS-815-upgrade-PDF.js-2.0.943

[ataillefer]

No description provided.

[nuxeojenkins]

View issue in JIRA

[guirenard]

It is really hard to tell but 7d14710#diff-4ae27d25bd4fa36331f27e9ae0111d87R7368 has been committed some time ago and not sure we should double check that again ...

[ataillefer]

I'm not sure why exactly it was added in the first place, we should check with @nelsonsilva.
According to https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest/withCredentials,

The XMLHttpRequest.withCredentials property is a Boolean that indicates whether or not cross-site Access-Control requests should be made using credentials such as cookies, authorization headers or TLS client certificates. Setting withCredentials has no effect on same-site requests.

Do we want/need to allow cross-site requests with credentials?

Note that since then, pdf.js has switched to fetch() instead of XHR and uses same-origin as a default value for the credentials option, i.e.:

If you only want to send credentials if the request URL is on the same origin as the calling script, add credentials: 'same-origin'.

(see https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API/Using_Fetch#Sending_a_request_with_credentials_included)

[nelsonsilva]

I'd rather keep cross-site requests with credentials just so the element acts as any other resource loading element (ie img) in which case the browser would send the credentials by default. The only reason we need to set this flag is because the implementation relies on fetch requests, which I'd rather keep as an "implementation detail". If we did not include the credentials by default we'd need to make it configurable since there are several use cases where the Nuxeo server is remove (dev server, static deployment, etc) so I'd rather keep it simple for now.

[ataillefer]

Applied the patch below to allow viewing a file in a static UI connected to a remote server with a CORS configuration allowing cross-domain requests:

1. Revert file origin validation, which was intentionnally added by Mozilla for several reasons detailed in
   Allow foriegn origin URLs only for hosted viewers. mozilla/pdf.js#6916, see mozilla/pdf.js@7c89bdc. This was preventing from viewing a file within Web UI in dev mode since latest upgrade to 1.5.188 (31003df).
2. Make cross-site Access-Control requests use credentials, which reflects 7d14710#diff-4ae27d25bd4fa36331f27e9ae0111d87R7368.

More precisely, without the patch:

1. was causing Error: file origin does not match viewer's.
2. was causing a 401.

diff --git a/web/app.js b/web/app.js
index b04eebf..9608fde 100644
--- a/web/app.js
+++ b/web/app.js
@@ -1501,7 +1501,9 @@ function webViewerInitialized() {
     let queryString = document.location.search.substring(1);
     let params = parseQueryString(queryString);
     file = 'file' in params ? params.file : AppOptions.get('defaultUrl');
-    validateFileURL(file);
+    // Revert https://github.com/mozilla/pdf.js/pull/6916 to allow viewing a file from a remote server
+    // with CORS headers properly configured in a static UI.
+    // validateFileURL(file);
   } else if (PDFJSDev.test('FIREFOX || MOZCENTRAL')) {
     file = window.location.href.split('#')[0];
   } else if (PDFJSDev.test('CHROME')) {
@@ -1626,7 +1628,7 @@ if (typeof PDFJSDev === 'undefined' || PDFJSDev.test('GENERIC')) {
     }

     if (file) {
-      PDFViewerApplication.open(file);
+      PDFViewerApplication.open(file, { withCredentials: true, });
     }
   };
 } else if (PDFJSDev.test('FIREFOX || MOZCENTRAL || CHROME')) {

[nelsonsilva]

👍
And thanks for updating the README 👌

[nelsonsilva]

👍

[guirenard]

👍