Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Reading that bug, it sounds like it was fixed in https://chromium.googlesource.com/chromium/src/+/51cd319fd6a... and the bug status is just incorrect?


That appears to be for blocking JS (and opt-in only via disabling JS on the site hosting the PDF). I am unfamiliar w/ the internals of PDFs (especially concerning JS invocation), but can you request an image from a third party site without scripting? Also, what if I want the PDF's features to work and I just want to filter web requests like I do every other page out there (e.g. to remove the referrer header)?

That web requests in PDF content types are not subject to the same approach as web requests in HTML content types is the problem. Disabling all JS is a blunt instrument akin to telling someone that being able to disable JS for other webpages is as good as more nuanced ad block extension.


You seem to be in favour of some JS running but not other JS - how can software tell the difference? What do you mean by "nuanced ad block extension"? Do they just have a massive blacklist of bad actors to block?


> You seem to be in favour of some JS running but not other JS

No, sorry if I was unclear. What I'm in favor of is my extensions being able to handle/filter web requests on PDFs the same as they do for webpages, irrespective of JS settings. JS is only under discussion here because of the linked commit and I'm saying that's not good enough.


Ok, anyway I agree with that completely, which is why I disabled PDFs opening automatically and have to click to open (via a standlone reader, not browser plugin). It's basically the same situation as the bad old days of having Flash load automatically and it making whatever requests it wants...


However, you probably don't want your Cloud-to-Butt extension reading/modifying requests made by your password-manager extension - which is how I understood the NOFIX comment.


The bug still seems to be present. You can use the testing on our website: navigate a Chrome browser with an ad-blocking extension to e.g. https://wholeftopenthecookiejar.eu/data/extensions/AdBlock/c... and click pdf-iframe-submitForm. If the result shows cookies, it has not been fixed.


That's not what the fix was. Disable JS on the site, that should prevent the pdf running JS as well. (although it might prevent the pdf loading in the first place...). As kodablah pointed out, it's not a useful fix.

edit to clarify: sorry I thought you thought that fix was trying to fix the bug, but you weren't, so this comment doesn't make much sense.




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: