Hypothes.is

This repo adds the ability to read and annotate public PDFs using hypothes.is. This is based on Mozilla's pdf.js. The backend adds PdfViewerController which renders using layouts/hyku_addons/pdf_viewer.html.erb. This template loads the requried Javascript, plus files required for locales.

Security

Updating

Hypothesis will load any PDF given to it via a url parameter. In order to add a second layer of security Hypothes.is's scripts were edited to prevent this. The script now reads the id of a file and creates a url within hyrax only. See [code] (https://github.com/ubiquitypress/hyku_addons/blob/a82bf392fe6a90315670ea76a6d87afb1db17e7b/app/assets/javascripts/hyku_addons/pdf_viewer/web/viewer.js.erb#L1277) here at line 1277:

parameters = Object.create(null);

const download_id = location.pathname.split('/')[2]
parameters.url = "/downloads/" + download_id
apiParameters = _app_options.AppOptions.getAll(_app_options.OptionKind.API);

Previous code:

parameters = Object.create(null);

if (typeof file === "string") {
  _this7.setTitleUsingUrl(file);

  parameters.url = file;
} else if (file && "byteLength" in file) {
  parameters.data = file;
} else if (file.url && file.originalUrl) {
  _this7.setTitleUsingUrl(file.originalUrl);
  parameters.url = file.url;
}

apiParameters = _app_options.AppOptions.getAll(_app_options.OptionKind.API);

If hypothes.is update their scripts and you wish to update them in this repo, the above change will need to be made.

Hypothes.is

Security

Updating

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Clone this wiki locally