The PDF reader may be included in Firefox within three months, said Andreas Gal, a Mozilla researcher who unveiled work the company had done quietly for the last month. If Mozilla follows through on its plans, it would make Firefox the second major browser, after Google's Chrome, to offer in-browser PDF rendering.
"The traditional approach to rendering PDFs in a browser is to use a native code plugin, either Adobe's own PDF Reader or other commercial renderers, or some open source alternative," Gal said. "From a security perspective, this enlarges the trusted code base, and because of that, Google's Chrome browser goes through quite some pain to sandbox the PDF renderer to avoid code injection attacks. An HTML5-based implementation is completely immune to this class of problems."
Adobe Reader, the free PDF viewer whose plugin is most notably used by Microsoft's Internet Explorer (IE), has been updated five times so far this year to fix flaws discovered by, and in many cases exploited by, cyber criminals. Three of those updates were "out-of-band," or emergency releases to address critical vulnerabilities hackers were actively exploiting.
By shunning the Reader plugin, a browser sidesteps the vulnerabilities that come with the Adobe software.
Mozilla will initially provide the in-browser PDF viewer via a Firefox extension, but Gal said the ultimate goal was to ship the viewer inside the browser. "This will result in a substantial usability but also security improvement for our users," he argued.
Mozilla has dubbed the open source project "pdf.js," and has published detailed plans on its site, as well as source code on Github. Gal said that other browsers could also use pdf.js to display PDF documents.
"We would love to see it embedded in other browsers or web applications," Gal said. "Because it's written only in standards-compliant web technologies, the code will run in any compliant browser."