|
| 1 | +# Security Policy |
| 2 | + |
| 3 | +## Supported Versions |
| 4 | + |
| 5 | +We actively maintain and provide security updates for the following versions: |
| 6 | + |
| 7 | +| Version | Supported | |
| 8 | +| ------- | ------------------ | |
| 9 | +| 25.x.x | :white_check_mark: | |
| 10 | +| 24.x.x | :white_check_mark: | |
| 11 | +| 23.x.x | :x: | |
| 12 | +| < 23.x | :x: | |
| 13 | + |
| 14 | +## Reporting a Vulnerability |
| 15 | + |
| 16 | +We take security vulnerabilities seriously. If you discover a security vulnerability in ng2-pdfjs-viewer, please follow these guidelines: |
| 17 | + |
| 18 | +### 🔒 Private Vulnerability Reporting |
| 19 | + |
| 20 | +**Please do NOT report security vulnerabilities through public GitHub issues, discussions, or pull requests.** |
| 21 | + |
| 22 | +Instead, please report security vulnerabilities privately by: |
| 23 | + |
| 24 | +1. **Email**: Send details to [codehippie1@gmail.com](mailto:codehippie1@gmail.com) |
| 25 | +2. **GitHub Security Advisories**: Use the "Report a vulnerability" button on the [Security tab](https://github.com/intbot/ng2-pdfjs-viewer/security) |
| 26 | +3. **Responsible Disclosure**: Follow responsible disclosure practices |
| 27 | + |
| 28 | +### 📝 What to Include |
| 29 | + |
| 30 | +When reporting a vulnerability, please include: |
| 31 | + |
| 32 | +- **Description**: Clear description of the vulnerability |
| 33 | +- **Steps to Reproduce**: Detailed steps to reproduce the issue |
| 34 | +- **Impact Assessment**: Potential impact and affected components |
| 35 | +- **Environment**: Browser, Angular version, ng2-pdfjs-viewer version |
| 36 | +- **Proof of Concept**: If applicable, include a minimal reproduction case |
| 37 | +- **Suggested Fix**: If you have ideas for a fix, please share them |
| 38 | + |
| 39 | +### 🏆 Security Hall of Fame |
| 40 | + |
| 41 | +We recognize security researchers who help improve ng2-pdfjs-viewer security: |
| 42 | + |
| 43 | +- [Your Name] - CVE-XXXX-XXXX - Description of contribution |
| 44 | +- [Another Researcher] - CVE-XXXX-XXXX - Description of contribution |
| 45 | + |
| 46 | +## Security Considerations |
| 47 | + |
| 48 | +### CSP (Content Security Policy) Compliance |
| 49 | + |
| 50 | +ng2-pdfjs-viewer is designed to work with strict Content Security Policies: |
| 51 | + |
| 52 | +```html |
| 53 | +<meta http-equiv="Content-Security-Policy" |
| 54 | + content="default-src 'self'; |
| 55 | + style-src 'self'; |
| 56 | + script-src 'self';"> |
| 57 | +``` |
| 58 | + |
| 59 | +**Note**: v25.0.11+ includes fixes for CSP compliance issues with inline styles. |
| 60 | + |
| 61 | +### iframe Security |
| 62 | + |
| 63 | +The component uses iframe sandboxing for security: |
| 64 | + |
| 65 | +```html |
| 66 | +<iframe sandbox="allow-forms allow-scripts allow-same-origin allow-modals"> |
| 67 | +``` |
| 68 | + |
| 69 | +### PDF.js Security |
| 70 | + |
| 71 | +ng2-pdfjs-viewer is built on [PDF.js](https://mozilla.github.io/pdf.js/), which includes: |
| 72 | + |
| 73 | +- **XSS Protection**: Built-in protection against malicious PDF content |
| 74 | +- **Sandboxing**: Isolated execution environment |
| 75 | +- **Regular Updates**: Following PDF.js security updates |
| 76 | + |
| 77 | +## Security Best Practices |
| 78 | + |
| 79 | +### For Developers |
| 80 | + |
| 81 | +1. **Keep Dependencies Updated**: Regularly update Angular and PDF.js dependencies |
| 82 | +2. **Use HTTPS**: Always serve PDFs over HTTPS in production |
| 83 | +3. **Validate Input**: Validate PDF sources and user inputs |
| 84 | +4. **CSP Headers**: Implement proper Content Security Policy headers |
| 85 | +5. **Error Handling**: Don't expose sensitive information in error messages |
| 86 | + |
| 87 | +### For Users |
| 88 | + |
| 89 | +1. **Update Regularly**: Keep ng2-pdfjs-viewer updated to the latest version |
| 90 | +2. **Secure Sources**: Only load PDFs from trusted sources |
| 91 | +3. **HTTPS**: Use HTTPS when serving PDFs |
| 92 | +4. **Review Permissions**: Be cautious with PDFs that request special permissions |
| 93 | + |
| 94 | +## Known Security Issues |
| 95 | + |
| 96 | +### Resolved Issues |
| 97 | + |
| 98 | +- **CSP Inline Style Violations** (v25.0.11): Fixed inline style CSP violations in component template |
| 99 | +- **XSS Prevention**: iframe sandboxing prevents PDF-based XSS attacks |
| 100 | +- **URL Validation**: Built-in URL validation prevents unauthorized file access |
| 101 | + |
| 102 | +### Current Limitations |
| 103 | + |
| 104 | +- **PDF.js Vulnerabilities**: Inherits any security issues from PDF.js core |
| 105 | +- **Browser Security**: Relies on browser security for iframe isolation |
| 106 | +- **Network Security**: PDF loading depends on network security |
| 107 | + |
| 108 | +## Security Updates |
| 109 | + |
| 110 | +Security updates are typically released as: |
| 111 | + |
| 112 | +- **Patch Releases**: For critical security fixes (e.g., 25.0.12) |
| 113 | +- **Minor Releases**: For important security improvements (e.g., 25.1.0) |
| 114 | +- **Major Releases**: For significant security architecture changes (e.g., 26.0.0) |
| 115 | + |
| 116 | +## Contact Information |
| 117 | + |
| 118 | +- **Security Issues**: [security@example.com](mailto:security@example.com) |
| 119 | +- **General Support**: [GitHub Issues](https://github.com/intbot/ng2-pdfjs-viewer/issues) |
| 120 | +- **Documentation**: [Documentation Site](https://angular-pdf-viewer-docs.vercel.app/) |
| 121 | + |
| 122 | +## Acknowledgments |
| 123 | + |
| 124 | +We thank the security community for their contributions to making ng2-pdfjs-viewer more secure. Special thanks to: |
| 125 | + |
| 126 | +- The PDF.js team at Mozilla for their security-focused approach |
| 127 | +- Angular team for security best practices |
| 128 | +- All security researchers who have reported vulnerabilities |
| 129 | + |
| 130 | +--- |
| 131 | + |
| 132 | +**Last Updated**: January 2025 |
| 133 | +**Version**: 25.0.12 |
0 commit comments