Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'Use Adobe Reader 7 with JavaScript disabled' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Use Adobe Reader 7 with JavaScript disabled
Authored by: prodok on Jun 04, '05 05:30:55AM

Of course, it is the user's good right to disable JavaScript in Acrobat.

However, disabling Acrobat JavaScript because of "security" reasons is rather a weak argument.

Because of the way Acrobat has JavaScript implemented, particularly in Acrobat 7, none of the "reasons" why JavaScript should be disabled in browsers are valid. Acrobat JavaScript essentially runs in its own sandbox, and has only very limited access to the "external world". File system access is rather limited for reading, and extremely limited for writing. And, what is more important, access "behind the user's back" is not possible ("behind the user's back" means that the user does not notice anything). Potentially dangerous actions do require an additional action of some kind by the user (such as confirming a dialog box, selecting a file name, doing an additional installation, etc.).

So, as "functional" the hint is, it is indeed a hint which will cause more problems than it will prevent. More and more even simple documents use some JavaScript for additional functionality, be it navigation, be it for displaying contents. And I don't even talk about (fillable) forms.

And one might think about it, that many really high-profile organizations, where problems security-wise would really give them a hard time (let's talk about tax authorities) use and distribute documents with JavaScript built in.

So, it might be a good idea to keep this hint as an "educational" example, but definitely not use it.

Max Wyss.

(well, I might be a little bit biased... I have been developing applications with Acrobat JavaScript since it became possible to do so...)



[ Reply to This | # ]
Use Adobe Reader 7 with JavaScript disabled
Authored by: alblue on Jun 04, '05 09:36:12AM

I have to agree with the original poster -- that JavaScript should be disabled by default; or at least, on a per-document basis the user can be asked 'Do you want to enable JavaScript for this document?'

The fact that one *can* do things with JavaScript in a PDF document doesn't mean that one *should* do things with JavaScript. After all, PDF is not Flash -- it's meant to be a static resource for documentation, in a device-independent and operating-system independent way.

Arguing that turning off JavaScript breaks functionality is only true for those documents that need JavaScript -- for all other docs, it doesn't make any difference. Plus, there are a bunch of nasty things that *any* macro language can do; for example, access remote URLs to 'track' a document; prevent certain aspects of a document from working (e.g. preventing printing, that kind of thing).

An interactive document is much better delivered as a set of web pages, not a PDF.

Having said that, you can do a sick amount of things with JavaScript in PDFs, as this PDF calulator shows: http://www.tug.org/applications/pdftex/calculat.pdf. Note that it won't work correctly in Preview, since that doesn't support JavaScript (fortunately).



[ Reply to This | # ]
Use Adobe Reader 7 with JavaScript disabled
Authored by: prodok on Jun 10, '05 03:38:47AM

Everyone is allowed to have his opinion, and there is nothing against the opinion to have JavaScript deactivated. Simply do it, and get happy... until you run into some trouble...

The idea that PDF is "meant to be a static resource for documentation" is one of the big misconceptions about PDF out there. the "static" aspect may have been true in early versions ... about 10 years ago. But since then, PDF has proven to be more than that. It is now now allow for interactivity, but still in a device-independent and operating system-independent way. And that with all the advantages of the PDF format (integrity of contents, integrity of presentation).

The argument for "tracking" documents mention badly designed document control systems. In fact, a good system gives permissions to do something, such as printing. And restricting certain things from working may absolutely and well be in the intention of the document owner. Note, because of the capability of PDF to make legally binding documents, such control features are needed.

Suggesting to deliver interactive documents as a set of web pages is most likely a sign of not knowing better. Haven't we talked about "platform-independent" before? And, experience shows that developing interactive documents of a certain level of sophistication (that would already apply for a medium complex form) takes easily 2 to 4 times longer (and therefore costs 2 to 4 times more) in HTML than in PDF ... and if we look at Java, we may easily get a factor 10...




[ Reply to This | # ]
There are valid security concerns
Authored by: Christoph on Jun 06, '05 02:53:23AM
As far as I know, there is actually a security issue with Acrobat Reader 7 which can only be fixed by removing JavScript:

Acrobat Reader 7 will report every time a document is opened to a specific URL, provided the document has been prepared for this.

It is correct that this does not compromise your system, but it opens the field to many nasty use cases of this feature. In partucalrly since copyright law has been changed in such a way recently that not only distributing, but even viewing or listening copyrighted material can be a violation of copyright.

[ Reply to This | # ]

There are valid security concerns
Authored by: prodok on Jun 10, '05 03:19:14AM

Actually, in order to call a webserver when the document gets opened, you don't even need JavaScript. And this feature has been around for an even longer time.

I agree that this is a privacy issue, but I would not blame it to the base application, but to the use of it. And, there are scenarios where this "calling home" may be intended and absolutely legitimate.



[ Reply to This | # ]
The problem is being right too soon...
Authored by: nemoinis on Jun 20, '05 11:36:02AM

Adobe has posted an advisory about an Adobe Reader and Acrobat vulnerability:

Product: Adobe Reader 7.0 and 7.0.1, Adobe Acrobat 7.0 and 7.0.1
Platform: Macintosh and Windows
Vulnerability Identifier: CAN-2005-1306

...If an XML script is embedded in JavaScript, it is possible to discover the existence of local files. An attacker could then use the information gathered for malicious purposes...

http://www.adobe.com/support/techdocs/331710.html



[ Reply to This | # ]
Use Adobe Reader 7 with JavaScript disabled
Authored by: jjll on Jan 26, '06 04:18:55PM

Great tip!!! I can't believe Adobe decided to integrate Javascript into PDF files... now no documents are safe...

That argument on the contained environment and no security problem stuff sounds just like the ones presented by Microsoft when Internet Explorer came out... and just look how that turned out...

And check out this follow article... there are actually companies out there embedding spying JavaScript codes in PDF for you now... no security/privacy risk, you say???

http://lwn.net/Articles/129729/



[ Reply to This | # ]