Hacker News new | comments | show | ask | jobs | submit login

>A PDF file is just words and pictures on a page

>They don't include animations, they don't accept user input, they don't connect to servers and stream files and send updates

A PDF file is much more than just words and pictures. There are forms which accept user input, weird embedded content, and other strange things. Although I am not familiar with the spec, I have seen the features that Adobe Acrobat lets you do with PDFs and it seems pretty monstrous.

To clarify, there are several security issues that arise from all of this [0], and as others on this page have pointed out, that is a good reason to make use of the existing infrastructure around browser sandboxing.

[0] - http://duckduckgo.com/?q=adobe+pdf+vulnerabilities

Right, but what percentage of the esoteric features technically supported by PDFs are actually in use? With the exception of forms, the huge, overwhelming majority of PDFs never use things like embedded objects (which, funnily enough, can sometimes be Flash files). And forms are definitely doable in a JavaScript PDF reader; they are, in fact, probably easier than in a native PDF reader since you'll be able to use HTML. So in JS, they can display almost any PDF in the world with no trouble at all. How many Flash programs are more complex than that little car demo, which runs slowly on my top-of-the-line hardware?

Why are we so afraid of native code these days? Firefox already runs plugins in a sandbox, and has done so since 3.6. There is more complexity and opportunity for screwups in unmanaged code, yes, and for a PDF JavaScript is just fine, but for something that requires a powerful, fast VM capable of real-time graphics and real-time user input without lag or freezes, it is silly to write off the benefit of performant native code just because Adobe's plugins are rife with security holes, which I believe is what is happening here.


We already have a thing that's capable of real-time graphics and real-time user input, it's called a web browser. This is simply leveraging that to run a different set of input.


Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact