Skip to main content

iframe Security

ng2-pdfjs-viewer includes built-in iframe security features to protect your application from potential security vulnerabilities.

๐Ÿ”’ Security Overviewโ€‹

The library uses static iframe sandbox attributes to provide a secure environment for PDF viewing while maintaining full functionality. The sandbox configuration is fixed for security and Angular compliance.

Built-in Security Configurationโ€‹

<ng2-pdfjs-viewer pdfSrc="document.pdf"></ng2-pdfjs-viewer>

Static sandbox attributes (always enabled):

  • allow-forms - Enables PDF form functionality
  • allow-scripts - Enables PDF.js JavaScript execution
  • allow-same-origin - Enables loading PDF files and assets
  • allow-modals - Enables PDF.js dialogs (print, download)

๐Ÿ›ก๏ธ Security Benefitsโ€‹

XSS Preventionโ€‹

  • Prevents malicious scripts in PDFs from affecting the parent page
  • Isolates PDF.js execution environment
  • Blocks unauthorized access to parent window context

CSP Complianceโ€‹

  • Meets Content Security Policy requirements
  • Compatible with strict CSP headers
  • Reduces security audit findings

Data Protectionโ€‹

  • Limits iframe access to parent window
  • Prevents data exfiltration through PDFs
  • Protects sensitive application data

Enterprise Readyโ€‹

  • Suitable for corporate security environments
  • Meets regulatory compliance requirements
  • Integrates with security monitoring tools

โš™๏ธ Configuration Optionsโ€‹

Basic Usageโ€‹

<!-- Built-in security (always enabled) -->
<ng2-pdfjs-viewer 
  pdfSrc="document.pdf">
</ng2-pdfjs-viewer>

iframe Border Customizationโ€‹

<!-- Custom border styling -->
<ng2-pdfjs-viewer 
  pdfSrc="document.pdf"
  iframeBorder="2px solid #ccc">
</ng2-pdfjs-viewer>

Note: Sandbox attributes are fixed for security and Angular compliance. Only border styling can be customized.

๐Ÿ“‹ Sandbox Attributes Referenceโ€‹

Required Attributesโ€‹

AttributePurposeRequired For
allow-formsPDF form functionalityPDF form filling and submission
allow-scriptsJavaScript executionPDF.js viewer functionality
allow-same-originSame-origin requestsLoading PDF files and assets
allow-modalsDialog boxesPrint dialog, download confirmations

Optional Attributesโ€‹

AttributePurposeUse Case
allow-popupsOpen new windowsExternal window functionality
allow-downloadsDownload filesPDF download functionality
allow-top-navigationNavigate parent windowPDF navigation features
allow-pointer-lockPointer lock APIAdvanced interaction features

Security Attributesโ€‹

AttributePurposeSecurity Impact
allow-same-originSame-origin requestsRequired for functionality
allow-formsForm submissionRequired for PDF forms
allow-scriptsJavaScript executionRequired for PDF.js
allow-modalsDialog boxesRequired for user interactions

๐Ÿ”ง Advanced Configurationโ€‹

Border Customizationโ€‹

export class MyComponent {
  // Dynamic border configuration
  borderConfig = "0";
  
  // Update border based on theme
  updateBorder(theme: string) {
    switch (theme) {
      case 'dark':
        this.borderConfig = "1px solid #333";
        break;
      case 'light':
        this.borderConfig = "1px solid #ccc";
        break;
      case 'none':
        this.borderConfig = "0";
        break;
    }
  }
}
<ng2-pdfjs-viewer 
  pdfSrc="document.pdf"
  [iframeBorder]="borderConfig">
</ng2-pdfjs-viewer>

๐Ÿงช Testing Security Configurationโ€‹

Basic Functionality Testโ€‹

describe('iframe Security', () => {
  it('should load PDF with static sandbox', () => {
    const fixture = TestBed.createComponent(PdfViewerComponent);
    fixture.componentInstance.pdfSrc = 'test.pdf';
    fixture.detectChanges();
    
    const iframe = fixture.debugElement.query(By.css('iframe'));
    expect(iframe.nativeElement.sandbox).toBe('allow-forms allow-scripts allow-same-origin allow-modals');
  });
  
  it('should allow custom border configuration', () => {
    const fixture = TestBed.createComponent(PdfViewerComponent);
    fixture.componentInstance.pdfSrc = 'test.pdf';
    fixture.componentInstance.iframeBorder = '2px solid #ccc';
    fixture.detectChanges();
    
    const iframe = fixture.debugElement.query(By.css('iframe'));
    expect(iframe.nativeElement.style.border).toBe('2px solid #ccc');
  });
});

Security Validation Testโ€‹

it('should prevent XSS attacks', () => {
  // Test that malicious scripts in PDFs cannot access parent window
  const maliciousPdf = createMaliciousPdf();
  // ... test implementation
});

๐Ÿšจ Common Issues and Solutionsโ€‹

Issue: PDF Forms Not Workingโ€‹

Problem: PDF forms are not interactive or submit buttons don't work.

Solution: Ensure allow-forms is included in sandbox attributes.

<ng2-pdfjs-viewer 
  pdfSrc="document.pdf"
  iframeSandbox="allow-forms allow-scripts allow-same-origin allow-modals">
</ng2-pdfjs-viewer>

Issue: Download/Print Buttons Not Workingโ€‹

Problem: Download and print functionality is disabled.

Solution: Add allow-modals to sandbox attributes.

<ng2-pdfjs-viewer 
  pdfSrc="document.pdf"
  iframeSandbox="allow-forms allow-scripts allow-same-origin allow-modals">
</ng2-pdfjs-viewer>

Issue: External Window Not Openingโ€‹

Problem: "Open in new tab" button doesn't work.

Solution: Add allow-popups to sandbox attributes.

<ng2-pdfjs-viewer 
  pdfSrc="document.pdf"
  iframeSandbox="allow-forms allow-scripts allow-same-origin allow-modals allow-popups">
</ng2-pdfjs-viewer>

Issue: PDF Not Loadingโ€‹

Problem: PDF fails to load with sandbox enabled.

Solution: Ensure allow-same-origin is included for same-domain PDFs.

<ng2-pdfjs-viewer 
  pdfSrc="document.pdf"
  iframeSandbox="allow-forms allow-scripts allow-same-origin allow-modals">
</ng2-pdfjs-viewer>

๐Ÿ” Security Best Practicesโ€‹

1. Use Default Configurationโ€‹

  • Start with the default sandbox attributes
  • Only add additional permissions when needed
  • Test thoroughly after any changes

2. Regular Security Auditsโ€‹

  • Review sandbox configuration regularly
  • Test with security scanning tools
  • Monitor for security advisories

3. Principle of Least Privilegeโ€‹

  • Only enable permissions that are actually needed
  • Document why each permission is required
  • Remove unused permissions

4. Environment-Specific Configurationโ€‹

  • Use stricter settings in production
  • Relax settings only in development when needed
  • Implement security policies consistently

5. Monitoring and Loggingโ€‹

  • Monitor for security violations
  • Log sandbox configuration changes
  • Alert on unexpected behavior

๐Ÿ“š Related Documentationโ€‹

๐Ÿ†˜ Supportโ€‹

If you encounter security-related issues:

  1. Check the Common Issues section
  2. Review your sandbox configuration
  3. Test with minimal sandbox attributes
  4. Open an issue on GitHub with details

Remember: Security is a shared responsibility. Always test your configuration and stay updated with security best practices.