cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
mozillian
Making moves
Status: New idea

I mean... Who even uses PDF Scripting except malicious actors?

4 Comments
Status changed to: New idea
Jon
Community Manager
Community Manager

Thanks for submitting an idea to the Mozilla Connect community! Your idea is now open to votes (aka kudos) and comments.

marco
Employee
Employee

@mozillianthe federal government of the United States is using JavaScript in many PDF forms, for example the ones used by citizens to submit their taxes.

If you consider the U.S. federal government to be a malicious actor, you should know other governments too use JS in PDFs, e.g. at least Italy and the United Kingdom.

Jokes aside, you can rest assured that the implementation in our PDF viewer is the most secure JS implementation possible. As the PDF viewer is basically a web page (being itself written in HTML, CSS and JavaScript). So in Firefox, JS in a PDF has exactly the same level of security as JS in a web page.

That said, in about:config, you can use the pdfjs.enableScripting preference to disable JS in PDFs and the javascript.enabled preference to disable JS in web pages.

mozillian
Making moves

@marcoi have no doubts on the security of the implementation of Javascript in PDF files, though is it at all possible you guys could at least add an "Enable javascript?" pop-up when a PDF file requests it? Just in case

marco
Employee
Employee

If we did that, we would need to do the same for JavaScript in normal web pages too, as they have basically the same security characteristics. It would be a pretty bad user experience.