Mozilla Connect

Thanks for submitting an idea to the Mozilla Connect community! Your idea is now open to votes (aka kudos) and comments.

@mozillianthe federal government of the United States is using JavaScript in many PDF forms, for example the ones used by citizens to submit their taxes.

If you consider the U.S. federal government to be a malicious actor, you should know other governments too use JS in PDFs, e.g. at least Italy and the United Kingdom.

Jokes aside, you can rest assured that the implementation in our PDF viewer is the most secure JS implementation possible. As the PDF viewer is basically a web page (being itself written in HTML, CSS and JavaScript). So in Firefox, JS in a PDF has exactly the same level of security as JS in a web page.

That said, in about:config, you can use the pdfjs.enableScripting preference to disable JS in PDFs and the javascript.enabled preference to disable JS in web pages.

@marcoi have no doubts on the security of the implementation of Javascript in PDF files, though is it at all possible you guys could at least add an "Enable javascript?" pop-up when a PDF file requests it? Just in case

If we did that, we would need to do the same for JavaScript in normal web pages too, as they have basically the same security characteristics. It would be a pretty bad user experience.

Uhh, the browser can't distinguish between a PDF file that's either local or online and an html website?

The browser can distinguish between them, but, as I said above, they have exactly the same security characteristics. JavaScript in a PDF can't do anything more than JavaScript in a website.

Given that, why would we treat JavaScript in a PDF differently than JavaScript in a website?

I mean, you can't use extensions on local pdf files, that's already treating the files different as you still can do so on local html files

@mozillianthe files can be treated differently by the browser, that's not a problem.

The thing is that there's no point disabling JavaScript exclusively in PDFs, because it's not a security risk.

If you can think of other reasons why JavaScript should be disabled in PDFs outside security, feel free to suggest it and we'll consider it!

I mean, people don't expect PDF files to use javascript, other then possibly somehow being leveraged for compromising security, (unsure) they might somehow be used to track how the people interact with the file? Or possibly a malicious actor might just use javascript to trigger somebodies epilepsy by flashing colors on & off on people's screens... I honestly don't know how much javascript firefox allows to be in pdf files but in the end if it's the same amount as html websites then that might be leveraged just to cause inconvenient stuff possibly, and it's not like this is a very-very essential feature that people use everyday so why risk it instead of showing a small pop-up that'll probably bother a normal user like once every 2 years or something and possibly just have a "remember option" button in the settings? That aside, a truly dedicated malicious actor would probably find some way to leverage it for their own benefit, and a truly dedicated malicious actor is probably up to no simple troll.

@mozillian  the thing is: the same applies to normal websites. E.g. a malicious actor might use javascript to trigger somebody epilepsy by flashing colors on normal websites just as on PDFs.

If we believe JavaScript in Firefox is risky, then it is risky exactly in the same way in PDFs as in normal websites and we would need to block its execution and ask the user in both normal websites and PDFs. There is no point in making a difference because the characteristics are basically the same.

In other readers the situation is very different because they are native and so prone to security bugs.

I know this thread is pretty old, but I have to chime in because I use No-Script to handle java execution on websites for security. Surfing the web without No-Script is like having sex with random people without using protection. It's just a matter of time before you catch an STD. Using No-Script, in conjunction with an option to disable java in PDF files viewed in Firefox, would be ideal, as I use Firefox to view PDF files by default. The fact that most all PDF files are compressed with high entropy is cause for concern at the very least. AV databases cannot detect malicious code embedded in PDF files in the wild that are novel. If a website does not load properly when I have No-Script running, I usually just leave that site and don't go there unless I trust the site 100%. There is no "running away" from a compressed PDF file with unknown java that runs when you open it.

This thread raises valid concerns about JavaScript in PDFs, but I can see Mozilla's point about treating it the same as JavaScript on websites. A simple "Enable JavaScript?" pop-up for PDFs, with a "remember this choice" option, could strike a good balance between security and user experience.

As someone with scripting experience (especially in environments like Roblox, where scripts can also be exploited), I get the importance of user control over script execution. A feature like this could give advanced users peace of mind without overcomplicating things for everyone else.

Regards: InstUp

@marcowhy do you think JS is handled the same on the web vs on PDFs? On the web, as @OldSchoolGuy tried to say before getting confusing is that on web pages, any user can choose to block JS via extensions, be it for security, privacy and/or performance. The same isn't true for PDFs, so you technically already handle things differently.

And yes, the privacy aspect at least is also true for PDFs. Technically I see no reason why someone couldn't use the same tracking techniques in a PDF as they are used on the web, i.e. sending data about your device and PDF viewer in use every time you open a PDF in any PDF reader that allows for execution of JS, no matter if you open it from your local files or from a web page. That's why most PDF readers that do support JS allow you to restrict the execution of it.

JavaScript in PDFs is isolated in a way that makes it impossible to use the normal web APIs. For this reason, for example, it can't use the network. This means tracking users is effectively impossible.

I found a way to disable it manually. Going to About:Config and finding the "pdfjs.enableScripting" option and setting it to "False" does the job. I find it interesting that the browser already has the capability to disable the scripting, but there is no option for a user to toggle it off and on in any of the menus. If the capability is already in the software, then why not just give the user an easier way to access it? It wouldn't take much code to facilitate?