Skip to content

Simple Android PDF viewer based on pdf.js and content providers. The app doesn't require any permissions. The PDF stream is fed into the sandboxed WebView without giving it access to content or files. CSP is used to enforce that the JavaScript and styling properties within the WebView are entirely static.

License

MIT, Apache-2.0 licenses found

Licenses found

MIT
LICENSE
Apache-2.0
PDFJS_LICENSE
Notifications You must be signed in to change notification settings

GrapheneOS/PdfViewer

Folders and files

NameName
Last commit message
Last commit date

Latest commit

98b6390 · Feb 24, 2025
Aug 5, 2024
Feb 24, 2025
Feb 16, 2025
Feb 18, 2025
Sep 16, 2023
Jan 7, 2025
Jun 28, 2019
May 27, 2020
Feb 16, 2025
Nov 29, 2024
Apr 14, 2023
Jan 4, 2025
Jul 12, 2024
Feb 22, 2025
Feb 19, 2025
Dec 20, 2024
May 3, 2023

Simple Android PDF viewer based on pdf.js and content providers. The app doesn't require any permissions. The PDF stream is fed into the sandboxed WebView without giving it access to content or files. Content-Security-Policy is used to enforce that the JavaScript and styling properties within the WebView are entirely static content from the apk assets. It reuses the hardened Chromium rendering stack while only exposing a tiny subset of the attack surface compared to actual web content. The PDF rendering code itself is memory safe with dynamic code evaluation disabled, and even if an attacker did gain code execution by exploiting the underlying web rendering engine, they're within the Chromium renderer sandbox with no access to the network (unlike a browser), files, or other content.

About

Simple Android PDF viewer based on pdf.js and content providers. The app doesn't require any permissions. The PDF stream is fed into the sandboxed WebView without giving it access to content or files. CSP is used to enforce that the JavaScript and styling properties within the WebView are entirely static.

Topics

Resources

License

MIT, Apache-2.0 licenses found

Licenses found

MIT
LICENSE
Apache-2.0
PDFJS_LICENSE

Security policy

Stars

Watchers

Forks

Packages

No packages published