Note that it works for internal absolute URLs, including from subwikis.
When you say "internal absolute URL" you mean an URL that has the same domain as the page where the pdf viewer is used, but it's passed as an absolute URL (starting with https://... ) instead of being passed as relative to the domain (starting with a /...) , right?
* introduce an option to provide trusted origins to the pdfjs code
* if an origin belongs to the list of the trusted origins defined in XWiki, then the
origin error is not trown anymore by pdfjs, instead it will fallback on default browsers behavior
* the CORS still needs to be configured by each website/server owner
This fix is not enough as it is in order to display PDF's from different origins. It only provides a mechanism to define some trusted origin to bypass the pdfjs check that throws origin error.
In addition, each XWiki instance owner is responsible to configure the CORS mechanism.