| commit | 72119c3c7f62b01f522845df03b5812fa5b7be49 | [log] [tgz] |
|---|---|---|
| author | Tom Sepez <[email protected]> | Tue Dec 13 18:48:56 2022 |
| committer | Chromium LUCI CQ <[email protected]> | Tue Dec 13 18:48:56 2022 |
| tree | b895d139b1dc86f30380a5727c58f1e9e1901b29 | |
| parent | 0cf32b5139d35ac0eead5052e46b61e6d0ba1f08 [diff] [blame] |
Improve security FAQ section on PDFs and JavaScript. Add a sentence about the lack of ambient authority over a domain. Change-Id: I9fae25c1cafc9f2cb506325a0099e9a2f3f97e5a Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4096647 Commit-Queue: Tom Sepez <[email protected]> Reviewed-by: Adrian Taylor <[email protected]> Cr-Commit-Position: refs/heads/main@{#1082594}
diff --git a/docs/security/faq.md b/docs/security/faq.md index af93f95..dddcccf 100644 --- a/docs/security/faq.md +++ b/docs/security/faq.md
@@ -382,8 +382,9 @@ No. PDF files have the ability to run JavaScript, usually to facilitate field validation during form fill-out. Note that the set of bindings provided to -the PDF are more limited than those provided by the DOM to HTML documents (e.g. -no document.cookie). +the PDF are more limited than those provided by the DOM to HTML documents, nor +do PDFs get any ambient authority based upon the domain from which they are +served (e.g. no document.cookie). <a name="TOC-Are-PDF-files-static-content-in-Chromium-"></a> ### Are PDF files static content in Chromium?