Adobe 12001196 - Acrobat - Mac Manual page 31

Application Security Guide
Action
Opening a target PDF
Opening a target PDF
Opening a target PDF
Opening a target PDF
Data injection
Data injection
Data injection
Data injection
Script injection
FDF restriction examples
The following are examples of disallowed actions when enhanced security is on:
• If the PDF opens in the browser, and the URL to the PDF contains a #FDF=url, then the FDF data
specified by that url may be injected into the open PDF if the FDF has no /F key and if the PDF may
receive data from the FDF based on the cross domain policy.
• If the PDF opens in the Acrobat/Reader standalone application and the FDF data comes back in the
https response to a POST/GET initiated by the PDF, then the FDF data may be injected into the
open PDF if the PDF specified in the FDF is the PDF that made the POST/GET and if the PDF may
receive data from the FDF based on the cross domain policy (i.e. * in crossdomain.xml).
FDF permissions examples
The following are examples of scenarios where FDF data injection does need a user-authorization dialog
when enhanced security is on:
• You submit data from a PDF in the browser and the URL has #FDF at the end. The returned FDF
has an /F key pointing to a different PDF which needs to get loaded (everything is happening in the
browser). The FDF data gets injected into the second PDF.
• Same as above, except it all happens in Acrobat rather than in the browser. In this case, the #FDF
at the end of the URL is not needed.
• The "spontaneous FDF" case: In the browser, an unsolicited FDF arrives (via a link from an HTML
page before, and Acrobat is not running yet), and the FDF has an /F key for a PDF that it needs to
open and populate.
• Opening a link of the form http://A.com/file.pdf#FDF=http://B.com/getFDF.
4.5.2 Dialogs and warnings
Beginning with the 9.3 and 8.2 updates, a non-intrusive Yellow Message Bar (YMB) that doesn't block
workflows replaces many of the modal dialogs. Depending on how the client is configured, the YMB
appears at the top of the document and offers the user to trust the document "once" or "always."
Section 4 Enhanced Security
Data
file PDF
location location
local local
local server
server server
https local
server
n/a n/a
server browser
server Acrobat/Reader A llowed
Varied Varied
Any Any
8.x behavior
PDF opens. No No change.
authentication required.
PDF opens Allow via dialog or enable enhanced security and set
privileged location.
PDF opens. No No change.
authentication required.
Blocked Http hosted FDFs cannot open local files.
Allowed Allowed if: * Data retuned via a form submit with
url#FDF. * FDF has no /F or /UF key. * cross-domain
policy permits it.
Allowed Allowed if: * Link to PDF contains #FDF=url. * FDF has
no /F or UF key. * cross domain policy permits it.
Allowed if: * PDF makes EFS POST/GET and FDF
sends data in https response to same PDF. * cross
domain policy permits it.
Allowed Allow via dialog or enable enhanced security and set
privileged location.
Allowed Blocked if enhanced security is on and FDF is not in a
privileged location.
Section 4 Enhanced Security
9.x behavior
Page 27