Mozilla is working on a project that will add PDF rendering to Firefox using HTML5 and JavaScript, eliminating the need for users to run Adobe’s own plug-in.
“The PDF reader may be included in Firefox within three months,” said Andreas Gal, a Mozilla researcher.
If Mozilla follows through on its plans, it would make Firefox the second major browser — after Google’s Chrome — to offer in-browser PDF rendering.
But while Chrome relies on an API (application programming interface) to craft its own native-code plug-in, Mozilla will exclusively use HTML5 and JavaScript to display Adobe’s popular document format, according to Gal.
“The traditional approach to rendering PDFs in a browser is to use a native-code plug-in, either Adobe’s own PDF Reader or other commercial renderers, or some open-source alternative,” Gal said.
“From a security perspective, this enlarges the trusted code base, and because of that, Google’s Chrome browser goes through quite some pain to sandbox the PDF renderer to avoid code injection attacks. An HTML5-based implementation is completely immune to this class of problems,” he said.
Adobe Reader, the free PDF viewer whose plug-in is most notably used by Microsoft’s Internet Explorer (IE), has been updated five times so far this year to fix flaws discovered by, and in many cases exploited by, cyber criminals. Three of those updates were “out-of-band,” or emergency releases to address critical vulnerabilities hackers were actively exploiting.
By shunning the Reader plug-in, a browser sidesteps the vulnerabilities that come with the Adobe software.
Mozilla will initially provide the in-browser PDF viewer via a Firefox extension, but Gal said the ultimate goal was to ship the viewer inside the browser. “This will result in a substantial usability but also security improvement for our users,” he argued.
Mozilla has dubbed the open-source project “pdf.js,” and has published detailed plans on its site, as well as source code on Github.
Gal said that other browsers could also use pdf.js to display PDF documents.”We would love to see it embedded in other browsers or Web applications,” Gal said. “Because it’s written only in standards-compliant Web technologies, the code will run in any compliant browser.”