[Bug]: PDF not renderable due to CSP not allowing WASM since PDFJS4 - CompileError: WebAssembly.Module(): Refused to compile or instantiate WebAssembly module

[ab96ab]

Attach (recommended) or Link to PDF file

PDFJS-JPEG2000-WebAssembly-Problem.pdf

Web browser and its version

FireFox 128.0, Edge 126.0.2592.102, Chrome 126.0.6478.183

Operating system and its version

Windows 11 Enterprise 22H2 22621.3880

PDF.js version

4.4.168

Is the bug present in the latest PDF.js version?

Yes

Is a browser extension

No

Steps to reproduce the problem

1. Have a Content-Security-Policy that does not allow usage of WebAssembly
2. Try to render the PDF file which has JPXDecode inside
3. The canvas stays blank and receive a warning on the console

What is the expected behavior?

The canvas should get painted and no console warnings should happen.
The problematic PDF file was renderable with PDFJS version 3.

What went wrong?

1. The canvas stays blank.
2. The browser console logs Warning: Unable to decode image "img_p0_1": "CompileError: WebAssembly.Module(): Refused to compile or instantiate WebAssembly module because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "script-src 'self' *.company.tld"".

Link to a viewer

No response

Additional context

The PDF was renderable without problems with the same CSP with PDFJS version 3.11.174.

I am not allowed to adjust or weaken the CSP.

This is the CSP: default-src 'none'; script-src 'self' *.company.tld; connect-src 'self' *.company.tld; img-src 'self' blob: data: *.company.tld; frame-src 'self' *.company.tld; style-src 'self' 'unsafe-inline' *.company.tld; font-src 'self' *.company.tld; frame-ancestors 'self' *.company.tld; upgrade-insecure-requests;

[Snuffleupagus]

Have a Content-Security-Policy that does not allow usage of WebAssembly

Most unfortunately, such a CSP is incompatible with the latest PDF.js versions.

Try to render the PDF file which has JPXDecode inside

Please note that there were a number of reasons for replacing our old JS-based JPEG 2000 decoder (with a compiled one based on the OpenJPEG decoder):

• It was significantly slower, and used more memory.
• It contained various (often old) bugs.
• It lacked support for a lot of JPEG 2000 features.
• None of the PDF.js contributors knew enough about the image format to support/improve the decoder.

I am not allowed to adjust or weaken the CSP.

That's very unfortunate, but we cannot really help in that case since we won't revert to the old JS-based decoder for the reasons listed above.

[DrDiman]

pdfjs-dist "4.8.69"
Chrome Version 133.0.6943.54 (Official Build) (x86_64)
FireFox 136.0b2
MacOs 15.2

I have a PDF file to display. It contains several pages in JPEG 2000, and I still have blank pages.

The only workaround I found is to set my CSP to script-src ${CSP_PERMITTED_ORIGIN} 'wasm-unsafe-eval';, but it may bring security issues.

Are there any better solutions for this bug fix? @ab96ab @JohnAdamsy @Snuffleupagus

Should it be reopened? @Snuffleupagus

[DrDiman]

Warning: Unable to decode image "img_p0_2": "CompileError: WebAssembly.Module(): Refused to compile or instantiate
WebAssembly module because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy
directive: "script-src .....".
pdf.worker.mjs:339 Info: page=1 - getOperatorList: time=15ms, len=8
pdf.mjs:386 Warning: Dependent image isn't ready yet

If I leave CSP not permitted my page will always be blank.

seems it's a bug - at least - Error should be fired (not Warning - Dependent image isn't ready yet, cause IT WILL NEVER BE READY) and my fallback error will be rendered. Are there any thoughts?

[calixteman]

If you can reproduce your issue with https://mozilla.github.io/pdf.js/web/viewer.html then it's for sure a bug in pdf.js.

[lindseythomson-princeton]

I am also seeing this can we open it back up?