How can I obscure file path in PDF.js

Question

I have PDF.js working on my server, but am struggling with how I could implement it without exposing my file path (or ideally, move my files outside the web root).

e.g. could I implement a pass-through PHP where I call http://example.com/view?file=yyy.pdf&subdir=zzz

and then I could use PDF.js to open the file located at say, http://example.com/obscure/zzz/yyy.pdf (instead of calling http://example.com/viewer?file=http://example.com/obscure/zzz/yyy.pdf)

OR, better yet, a file outside the webfoot at: /absolute/path/zzz/yyy.pdf

FYI: [example.com](http://example.com) is there for a reason. — , Mar 15 '13 at 00:37
Already been answered: http://stackoverflow.com/questions/10834196/secure-files-for-download — Scott Yang, Mar 15 '13 at 00:47
Yes! That opens the file, thank you. But I'm not sure how PDF.js paints this. — littlered, Mar 15 '13 at 00:58

narration_sd · Answer 1 · 2013-03-27T00:17:26.283

N.B. 26 Mar 2013 -- Apologies, as I am going to have to retract the original answer.

It turns out that HTTP_REFERER (which always has been mis-spelled) is not reliable for security, as it can easily be spoofed.

I'm going to leave some of the original idea below, as it shows what not to do, in belief it would be safe, but first will lay out an alternative.

The basic challenge for any key-based alternative is that whatever is sent back and forth to unlock an off-website file access would be visible in various ways through the browser, which is where PDF.js actually runs and requests the access. This would be true even if the authentication mechanism avoids the main screen, or if SSL were used to protect the channel.

The best method I can come up with for the moment would be a time-limited key, accepting that this has some practical difficulty. However, even with occasional web slowdowns as we see them, the time window could be fairly short, as the key access occurs at the beginning of downloading the document.

SSL would be a requirement for any high-security arrangement, as otherwise the net connection could be snooped and the key re-used within the timeout. The authenticating system which launches PDF.js would need to coordinate with the document gateway for the key which PDF.js would use to call back and gain access. This could be done using on-server messaging, which a CMS database might fulfill.

Thus this looks like a possible design, if not one to be worked up in an hour. If SSL is used for the original user login as well as for the time-based key, it might be thought to be as secure as on-line banking, including the personnel factors in real life.

Here's the sense of the original flawed idea, for reference:

There appeared to be an easy, but now seen false answer for protecting the files, by using an .htaccess condition to allow only your locally-supplied pdf.js file permission to the directory holding the pdfs. That directory would need to be within the website because pdf.js accesses in web space rather than file space. Here's the form of the condition and response, which you can tune for your url and pdf.js location:

Options -Indexes
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^(http|https)://(www.)?yourdomain\.com/yourfolder/s/pdf\.js$
RewriteRule .* - [F]

How can I obscure file path in PDF.js

1 Answers1