feat(engines): add workerUrl and encoderWorkerUrl for CSP-friendly workers#634
Open
IBRAHIMDANS wants to merge 1 commit into
Open
feat(engines): add workerUrl and encoderWorkerUrl for CSP-friendly workers#634IBRAHIMDANS wants to merge 1 commit into
IBRAHIMDANS wants to merge 1 commit into
Conversation
…endly workers Allow configuring the PDFium worker and image encoder worker via static URLs instead of blob: object URLs, enabling strict Content Security Policies without requiring `worker-src blob:`. When the option is omitted, the existing blob: fallback is preserved for full backward compatibility. Closes embedpdf#628
|
Someone is attempting to deploy a commit to the OpenBook Team on Vercel. A member of the Team first needs to authorize it. |
There was a problem hiding this comment.
Pull request overview
This PR adds CSP-friendly worker URL configuration for the PDFium worker engine and propagates the new options through framework hooks.
Changes:
- Added
workerUrlandencoderWorkerUrloptions to PDFium engine creation options. - Used provided worker URLs instead of generated
blob:URLs when available. - Propagated the new options through React/Preact shared, Svelte, and Vue hooks.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
packages/engines/src/lib/pdfium/web/worker-engine.ts |
Adds worker URL options and uses them when constructing PDFium and encoder workers. |
packages/engines/src/lib/pdfium/web/direct-engine.ts |
Extends the shared options type with worker URL fields for compatibility. |
packages/engines/src/shared/hooks/use-pdfium-engine.ts |
Passes worker URL options through the React/Preact hook. |
packages/engines/src/svelte/hooks/use-pdfium-engine.svelte.ts |
Passes worker URL options through the Svelte hook. |
packages/engines/src/vue/composables/use-pdfium-engine.ts |
Passes worker URL options through the Vue composable. |
Comments suppressed due to low confidence (2)
packages/engines/src/svelte/hooks/use-pdfium-engine.svelte.ts:45
- This newly added call is not formatted according to the repo's Prettier configuration (
prettier/prettieris enforced in ESLint with a 100-column print width). Please run the formatter so this line is wrapped consistently.
const pdfEngine = await createPdfiumEngine(wasmUrl, { logger, fontFallback, workerUrl, encoderWorkerUrl });
packages/engines/src/vue/composables/use-pdfium-engine.ts:58
- This newly added call is not formatted according to the repo's Prettier configuration (
prettier/prettieris enforced in ESLint with a 100-column print width). Please run the formatter so this line is wrapped consistently.
const pdfEngine = await createPdfiumEngine(wasmUrl, { logger, fontFallback, workerUrl, encoderWorkerUrl });
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| }, ignore); | ||
| }; | ||
| }, [wasmUrl, worker, logger, fontFallback]); | ||
| }, [wasmUrl, worker, logger, fontFallback, workerUrl, encoderWorkerUrl]); |
| */ | ||
| export function usePdfiumEngine(props: UsePdfiumEngineProps = {}): UsePdfiumEngineResult { | ||
| const { wasmUrl = defaultWasmUrl, worker = true, logger, fontFallback } = props; | ||
| const { wasmUrl = defaultWasmUrl, worker = true, logger, fontFallback, workerUrl, encoderWorkerUrl } = props; |
Comment on lines
+38
to
+41
| * // Vite | ||
| * workerUrl: new URL('@embedpdf/engines/pdfium-worker', import.meta.url).href | ||
| * // Or a static asset | ||
| * workerUrl: '/assets/embedpdf-worker.js' |
|
|
||
| export function usePdfiumEngine(config?: UsePdfiumEngineProps) { | ||
| const { wasmUrl = defaultWasmUrl, worker = true, logger, fontFallback } = config ?? {}; | ||
| const { wasmUrl = defaultWasmUrl, worker = true, logger, fontFallback, workerUrl, encoderWorkerUrl } = config ?? {}; |
| */ | ||
| export function usePdfiumEngine(props: UsePdfiumEngineProps = {}): UsePdfiumEngineResult { | ||
| const { wasmUrl = defaultWasmUrl, worker = true, logger, fontFallback } = props; | ||
| const { wasmUrl = defaultWasmUrl, worker = true, logger, fontFallback, workerUrl, encoderWorkerUrl } = props; |
Author
|
@copilot apply changes based on the comments in this thread |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes: #628
Add
workerUrlandencoderWorkerUrloptions toCreatePdfiumEngineOptionsso that the PDFium worker and the image encoder worker pool can be loaded from a static URL instead of ablob:object URL.workerUrl— URL to the PDFium worker scriptencoderWorkerUrl— URL to the image encoder worker scriptblob:fallback is preserved (no breaking change)Motivation
Apps with a strict Content Security Policy that omit
blob:fromworker-src(orchild-src) are currently blocked when usingusePdfiumEngine({ worker: true }):This is a blocker for banking, healthcare, and defense environments where compliance frameworks flag
worker-src blob:. Libraries like pdf.js and monaco-editor already expose the worker as a configurable URL — this PR brings EmbedPDF in line with that pattern.Usage
CSP header can then be simply:
Notes
@embedpdf/engineshas no test infrastructure today. The branching logic (workerUrl ?? createObjectURL(...)) is minimal enough that the diff is self-explanatory./docs/snippet/airgappedpage would benefit from a short section on these two options — happy to contribute that separately if the maintainers agree on the API shape.