Table of Contents
Advertisement
Acrobat 9 Family of Products
Security Feature User Guide
Never allow multimedia for untrusted documents: Never trust any certificate for dynamic content and
clear your trusted document list. Then configure your Other Document multimedia settings to Never
or Prompt.
Note:
9.3 Setting JavaScript Options
9.3.1 High Privilege JavaScript Defined
High privilege JavaScripts are Acrobat methods with security restrictions. These are marked by an "S" in
the third column of the quick bar in the JavaScript for Acrobat API Reference. These methods can be
executed only in a privileged context, which includes the console, batch, menu, and application
initialization events. All other events (for example, page open and mouse-up events) are considered
non-privileged.
The description of each security-restricted method indicates the events during which the method can be
executed. Beginning with Acrobat 6.0, security-restricted methods can execute in a non-privileged context
if the document is certified and the certifier's certificate is trusted for executing embedded high privilege
JavaScript.
In Acrobat versions earlier than 7.0, menu events were considered privileged contexts. Beginning with
Acrobat 7.0, execution of JavaScript through a menu event is no longer privileged. You can execute
security-restricted methods through menu events in one of the following ways:
By going to Edit > Preferences > JavaScript and checking the item named Enable menu items
JavaScript execution privileges.
By executing a specific method through a trusted function (introduced in Acrobat 7.0). Trusted
functions allow privileged code—code that normally requires a privileged context to execute—to
execute in a non-privileged context. For details and examples, see
JavaScript for Acrobat API Reference.
9.3.2 Javascript and Certified Documents
Whether JavaScript runs in certified documents depends on whether you have explicitly trusted the
certifier's digital ID certificate (directly or indirectly by trusting an issuer on the certificate chain) for that
action. You can control script behavior on a per-certificate basis or by using trust anchors. If a signer's
certificate chains up to another certificate (a trust anchor) that allows high privileged JavaScript, then high
privileged JavaScript will run in that document. For example, some enterprises may issue a MyCompany
certificate that allows high privileged JavaScript. If all employee certificates use ExampleCompany as a
trust anchor, then they can send and receive certified documents within the company that contain
working JavaScript.
If you need to enable JavaScript in certified documents, set certificate trust.
There is no way to guarantee that multimedia won't play based on the trusted document list and
certificate trust level alone. Application preferences always override these restrictions.
Tip:
Because scripts could potentially change the document's appearance or allow attackers
access to your system, participants in certified workflows should consider the source of
the document and the security of the workflow before enabling this option.
External Content and Document Security
Setting JavaScript Options
app.trustedFunction
139
in the
Advertisement
Table of Contents
Troubleshooting
