Support CSP and embed script locally

Question

Support CSP and embed script locally

Ben555555 opened this issue 2 months ago · 5 comments

When using a recommended content security policy like "script-src 'self'" to block third party scripts, the following errors occurs:

chunk-AXXHMPAI.js:1 Refused to load the script 'https://cdn.jsdelivr.net/npm/pdfjs-dist@2.16.105/legacy/build/pdf.worker.min.js' because it violates the following Content Security Policy directive: "script-src 'self' https://www.google.com https://www.gstatic.com". Note that 'script-src-elem' was not explicitly set, so 'script-src' is used as a fallback.

Is it possible to embed this source file locally? I don't think it's ideal when a library is depending on files from other websites.

Answer 1 · 2024-10-31T15:12:14.000Z

Read the documentation. This is already possible.

Answer 2 · 2024-10-31T15:16:02.000Z

Yes it's possible to overwrite the path with "(window as any).pdfWorkerSrc = '/pdf.worker.mjs';".
This is rather hacky and might cause problems if this package updates to a newer script for the worker. It's not ideal in my opinion.

Answer 3 · 2024-10-31T15:49:24.000Z

What? So your concern is no longer that this isn’t possible just that you’re not happy how it is?

It’s been that way for years, works fine, and is done that way because this package relies on pdfjs (which is not going to suddenly break)

Issue should be closed imho

Answer 4 · 2024-10-31T15:53:38.000Z

I just said I don't think it's ideal and I knew about this option. Closing this issue.

Answer 5 · 2024-10-31T15:56:29.000Z

Im not a maintainer of this project, so not up to me, but I do think that pursuing this is a waste of time.