Site icon The Mac Security Blog

Firefox to Add Built-In PDF Display Framework

The Firefox web browser is planning to add a built-in PDF display framework built around HTML5 and JavaScript in future versions. Given that many users view PDFs on the web, and that some browsers – notably Firefox – either open these files in PDF viewers such as Preview or Adobe Reader, this solution removes the need for plug-ins that display PDFs in the browser.

Apple’s Safari integrates well with Apple’s PDF viewing framework, display PDFs users click on in a Safari window. Those who use Adobe Reader or Acrobat can add plug-ins, for Safari, Firefox, or other browsers, to do the same thing. But Firefox will avoid the plug-in issue by integrating a PDF display framework in the browser.

This is useful not only for making PDFs easier to read, but also by improving security. There are regularly flaws in Adobe Reader and Acrobat, given the ubiquity of these programs, and the ease of creating malicious PDF files that exploit such vulnerabilities. With a built-in PDF viewing framework, security is enhanced.

From a security perspective, this enlarges the trusted code base, and because of that Google’s Chrome browser goes through quite some pain to sandbox the PDF renderer to avoid code injection attacks. An HTML5-based implementation is completely immune to this class of problems. […] pdf.js uses only safe web languages and doesn’t contain any native code pieces attackers could exploit.

For now, there is no date as to when this will be available in Firefox, but it will certainly be a valuable addition to the browser.

Share this: