Prevent Loading Unwanted Documents by URL in External Viewer

[maks-humeniuk]

Bug Report or Feature Request (mark with an x)

- [ ] Regression (a behavior that used to work and stopped working in a new release)
- [ ] Bug report -> please search issues before submitting
- [x] Feature request
- [ ] Documentation issue or request

I'm using the library to load documents by BLOB in external viewer, which opens the document in a new browser tab. The URL then looks like this:
https://localhost:4200/assets/pdfjs/web/viewer.html?file=blob%3Ahttps%3A%2F%2Flocalhost%3A4200%2F00ff689b-bfca-44d0-bea7-a8331c073397&viewerId=ng2-pdfjs-viewer-ID1&beforePrint=true&afterPrint=true&pagesLoaded=true&pageChange=true&fileName=Car%20Loan%20Agreement.pdf&openFile=true&download=true&viewBookmark=true&print=true&fullScreen=true&find=true&locale=en-GB#&page=1&errorMessage=undefined&errorAppend=true

However, nothing prevents user from changing file query parameter value to e.g. this:
https://localhost:4200/assets/pdfjs/web/viewer.html?file=https://corsproxy.io/?https://appex.no/wp-content/uploads/2024/06/test-pdf.pdf

This exposes the app to phishing attacks.

Could I somehow prevent such behavior in any way?

[AlexanderMezentsev]

The same story with errorMessage:

The error message displayed on the page can be controlled by an attacker via the "errorMessage" parameter. An attacker could craft a convincing message to trick a user into revealing their account information or visiting a malicious site.

/assets/pdfjs/web/viewer.html?errorMessage=Your%20account%20has%20been%20blocked,%20please%20visit%20www.attacker.com%20to%20restore%20access&errorAppend=true