Mozilla Connect

Thanks for submitting an idea to the Mozilla Connect community! Your idea is now open to votes (aka kudos) and comments.

@mozillianthe federal government of the United States is using JavaScript in many PDF forms, for example the ones used by citizens to submit their taxes.

If you consider the U.S. federal government to be a malicious actor, you should know other governments too use JS in PDFs, e.g. at least Italy and the United Kingdom.

Jokes aside, you can rest assured that the implementation in our PDF viewer is the most secure JS implementation possible. As the PDF viewer is basically a web page (being itself written in HTML, CSS and JavaScript). So in Firefox, JS in a PDF has exactly the same level of security as JS in a web page.

That said, in about:config, you can use the pdfjs.enableScripting preference to disable JS in PDFs and the javascript.enabled preference to disable JS in web pages.

@marcoi have no doubts on the security of the implementation of Javascript in PDF files, though is it at all possible you guys could at least add an "Enable javascript?" pop-up when a PDF file requests it? Just in case

If we did that, we would need to do the same for JavaScript in normal web pages too, as they have basically the same security characteristics. It would be a pretty bad user experience.

Uhh, the browser can't distinguish between a PDF file that's either local or online and an html website?

The browser can distinguish between them, but, as I said above, they have exactly the same security characteristics. JavaScript in a PDF can't do anything more than JavaScript in a website.

Given that, why would we treat JavaScript in a PDF differently than JavaScript in a website?

I mean, you can't use extensions on local pdf files, that's already treating the files different as you still can do so on local html files

@mozillianthe files can be treated differently by the browser, that's not a problem.

The thing is that there's no point disabling JavaScript exclusively in PDFs, because it's not a security risk.

If you can think of other reasons why JavaScript should be disabled in PDFs outside security, feel free to suggest it and we'll consider it!

I mean, people don't expect PDF files to use javascript, other then possibly somehow being leveraged for compromising security, (unsure) they might somehow be used to track how the people interact with the file? Or possibly a malicious actor might just use javascript to trigger somebodies epilepsy by flashing colors on & off on people's screens... I honestly don't know how much javascript firefox allows to be in pdf files but in the end if it's the same amount as html websites then that might be leveraged just to cause inconvenient stuff possibly, and it's not like this is a very-very essential feature that people use everyday so why risk it instead of showing a small pop-up that'll probably bother a normal user like once every 2 years or something and possibly just have a "remember option" button in the settings? That aside, a truly dedicated malicious actor would probably find some way to leverage it for their own benefit, and a truly dedicated malicious actor is probably up to no simple troll.

@mozillian  the thing is: the same applies to normal websites. E.g. a malicious actor might use javascript to trigger somebody epilepsy by flashing colors on normal websites just as on PDFs.

If we believe JavaScript in Firefox is risky, then it is risky exactly in the same way in PDFs as in normal websites and we would need to block its execution and ask the user in both normal websites and PDFs. There is no point in making a difference because the characteristics are basically the same.

In other readers the situation is very different because they are native and so prone to security bugs.