[Bug]: PDF not renderable due to CSP not allowing WASM since PDFJS4 - CompileError: WebAssembly.Module(): Refused to compile or instantiate WebAssembly module #18457
Comments
Most unfortunately, such a CSP is incompatible with the latest PDF.js versions.
Please note that there were a number of reasons for replacing our old JS-based JPEG 2000 decoder (with a compiled one based on the OpenJPEG decoder):
That's very unfortunate, but we cannot really help in that case since we won't revert to the old JS-based decoder for the reasons listed above. |
Rob--W
added a commit
to Rob--W/pdf.js
that referenced
this issue
Sep 15, 2024
After the removal of 'unsafe-eval' CSP in mozilla#18651, WebAssembly fails to load, resulting in issues such as seen in mozilla#18457. Manifest Version 3 does not allow 'unsafe-eval', does accept the more specific 'wasm-unsafe-eval' as of Chrome 103. Note that manifest.json already sets minimum_chrome_version to 103. This patch also adds `object-src 'self'` because it was required until Chrome 110. As of Chrome 111, the default is `object-src 'self'` and `object-src` is no longer required. We could drop `object-src` in the future, but for now we need to include it to support Chrome 103 - 110.
Rob--W
added a commit
to Rob--W/pdf.js
that referenced
this issue
Sep 15, 2024
After the removal of 'unsafe-eval' CSP in mozilla#18651, WebAssembly fails to load, resulting in issues such as seen in mozilla#18457. Manifest Version 3 does not allow 'unsafe-eval', does accept the more specific 'wasm-unsafe-eval' as of Chrome 103. Note that manifest.json already sets minimum_chrome_version to 103. This patch also adds `object-src 'self'` because it was required until Chrome 110. As of Chrome 111, the default is `object-src 'self'` and `object-src` is no longer required. We could drop `object-src` in the future, but for now we need to include it to support Chrome 103 - 110.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Attach (recommended) or Link to PDF file
PDFJS-JPEG2000-WebAssembly-Problem.pdf
Web browser and its version
FireFox 128.0, Edge 126.0.2592.102, Chrome 126.0.6478.183
Operating system and its version
Windows 11 Enterprise 22H2 22621.3880
PDF.js version
4.4.168
Is the bug present in the latest PDF.js version?
Yes
Is a browser extension
No
Steps to reproduce the problem
JPXDecodeinsideWhat is the expected behavior?
The canvas should get painted and no console warnings should happen.
The problematic PDF file was renderable with PDFJS version 3.
What went wrong?
Warning: Unable to decode image "img_p0_1": "CompileError: WebAssembly.Module(): Refused to compile or instantiate WebAssembly module because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' *.company.tld"".Link to a viewer
No response
Additional context
The PDF was renderable without problems with the same CSP with PDFJS version 3.11.174.
I am not allowed to adjust or weaken the CSP.
This is the CSP:
default-src 'none'; script-src 'self' *.company.tld; connect-src 'self' *.company.tld; img-src 'self' blob: data: *.company.tld; frame-src 'self' *.company.tld; style-src 'self' 'unsafe-inline' *.company.tld; font-src 'self' *.company.tld; frame-ancestors 'self' *.company.tld; upgrade-insecure-requests;The text was updated successfully, but these errors were encountered: