You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
[Bug]: PDF not renderable due to CSP not allowing WASM since PDFJS4 - CompileError: WebAssembly.Module(): Refused to compile or instantiate WebAssembly module
#18457
Have a Content-Security-Policy that does not allow usage of WebAssembly
Try to render the PDF file which has JPXDecode inside
The canvas stays blank and receive a warning on the console
What is the expected behavior?
The canvas should get painted and no console warnings should happen.
The problematic PDF file was renderable with PDFJS version 3.
What went wrong?
The canvas stays blank.
The browser console logs Warning: Unable to decode image "img_p0_1": "CompileError: WebAssembly.Module(): Refused to compile or instantiate WebAssembly module because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' *.company.tld"".
Link to a viewer
No response
Additional context
The PDF was renderable without problems with the same CSP with PDFJS version 3.11.174.
After the removal of 'unsafe-eval' CSP in mozilla#18651, WebAssembly fails to
load, resulting in issues such as seen in mozilla#18457.
Manifest Version 3 does not allow 'unsafe-eval', does accept the more
specific 'wasm-unsafe-eval' as of Chrome 103. Note that manifest.json
already sets minimum_chrome_version to 103.
This patch also adds `object-src 'self'` because it was required until
Chrome 110. As of Chrome 111, the default is `object-src 'self'` and
`object-src` is no longer required. We could drop `object-src` in the
future, but for now we need to include it to support Chrome 103 - 110.
After the removal of 'unsafe-eval' CSP in mozilla#18651, WebAssembly fails to
load, resulting in issues such as seen in mozilla#18457.
Manifest Version 3 does not allow 'unsafe-eval', does accept the more
specific 'wasm-unsafe-eval' as of Chrome 103. Note that manifest.json
already sets minimum_chrome_version to 103.
This patch also adds `object-src 'self'` because it was required until
Chrome 110. As of Chrome 111, the default is `object-src 'self'` and
`object-src` is no longer required. We could drop `object-src` in the
future, but for now we need to include it to support Chrome 103 - 110.
Attach (recommended) or Link to PDF file
PDFJS-JPEG2000-WebAssembly-Problem.pdf
Web browser and its version
FireFox 128.0, Edge 126.0.2592.102, Chrome 126.0.6478.183
Operating system and its version
Windows 11 Enterprise 22H2 22621.3880
PDF.js version
4.4.168
Is the bug present in the latest PDF.js version?
Yes
Is a browser extension
No
Steps to reproduce the problem
JPXDecode
insideWhat is the expected behavior?
The canvas should get painted and no console warnings should happen.
The problematic PDF file was renderable with PDFJS version 3.
What went wrong?
Warning: Unable to decode image "img_p0_1": "CompileError: WebAssembly.Module(): Refused to compile or instantiate WebAssembly module because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' *.company.tld"".
Link to a viewer
No response
Additional context
The PDF was renderable without problems with the same CSP with PDFJS version 3.11.174.
I am not allowed to adjust or weaken the CSP.
This is the CSP:
default-src 'none'; script-src 'self' *.company.tld; connect-src 'self' *.company.tld; img-src 'self' blob: data: *.company.tld; frame-src 'self' *.company.tld; style-src 'self' 'unsafe-inline' *.company.tld; font-src 'self' *.company.tld; frame-ancestors 'self' *.company.tld; upgrade-insecure-requests;
The text was updated successfully, but these errors were encountered: