I’ve Got Trust Issues: Minimizing Security Warnings in Acrobat and Reader for a Better User Experience

| 3 Comments

If you are a developer creating PDF files that contain Dynamic content, you’ve probably run into issues around the security warnings or yellow bars that are suddenly popping up all over your PDF files. This is because with the release of Adobe Reader 9.3 and 8.2 we turned our Enhanced Security feature “On” by default – previously it was available but “Off” by default. In addition to this change, we’ve actually been tightening security in Acrobat and Reader for the past several versions in a variety of ways. The benefit to the user is that they can have a safer viewing experience by minimizing the risks when viewing untrusted PDF files while (and here’s the important part) allowing trusted PDF files to have unfettered access to the widest possible set of JavaScript APIs, multimedia functions and web services.

The Acrobat and Reader Trust Model:
Acrobat and Reader 9, with Enhanced Security turned on, allows only same-origin data downloads and multimedia operations [see "Enhanced Security in Adobe Acrobat 9 and Adobe Reader 9"]. In practical terms, this means that if you open a PDF file in a browser and it contains a streaming video, as long as the video was added with the Acrobat 9 video tool and it is streaming in from the same server that hosts the PDF file, the video will simply play without the user being prompted with a security warning. This is exactly what you’d want.

However, if the user saves that same PDF file to their desktop, their copy of the PDF file is no longer in the same domain as the video, it’s on the desktop but the video is still referencing the server. When the user opens the file from their desktop, they’ll be prompted to "Allow" a connection to the server that is streaming video.

PDF with Streaming Video In Browser

PDF with Streaming Video opened from Desktop

If you are using hosted services or are streaming video from a server other than the one that hosts the PDF file, you can create a cross-domain policy file to allow other servers to be trusted. Below are two different links to the same file. The first will open the PDF file in a new browser window, the second will download the PDF file so you can open it from your desktop. The PDF file contains a Yahoo Map that references 4 different domains on the Yahoo servers. My cross-domain policy file is set up to allow cross-domain access to all four of those servers. So when the file is viewed from the browser, the first link, you get a very clean experience with no security warnings.

PDF file with embedded YahooMap In Browser
PDF file with embedded YahooMap opened from Desktop

If you open the file from your desktop after downloading it, the second link, your experience is quite a bit different. First, you’ll be prompted to allow the PDF file to access my server which actually hosts the SWF that plays inside the PDF file.

Then the SWF will try to access some assets that I also have referenced on the server. You should click "Remember my action for this site" or you’ll be prompted many times as the SWF accesses the same resource each time it places a pin on the map.

After all of that, you’ll need to allow the SWF to access each of the four Yahoo domains that the Yahoo map API requires to generate the map.

With behavior this different, it’s hard to believe that this is the exact same file. The difference in the behavior is simply due to the same-origin and cross-domain policy rules. When a PDF file is opened from the desktop, the PDF file itself is considered it’s own domain. So, as long as all of the resources needed to play the multimedia in that PDF file are embedded, you won’t see any security warnings. Unfortunately, this will never be the case with streaming video or any PDF file that uses web services. So – we had to come up with another solution.

Establishing Trust: Opting In

As I mentioned above, when a PDF file is opened from the desktop, it is considered to be it’s own domain. Nothing that the PDF file references outside of itself will be considered trusted by default, additionally some of the most powerful and interesting JavaScripts will be disabled by default and require elevated privileges [add link to SDK definition] to run.

You can override these restrictions for content that is specifically trusted, in other words, content that you know where it’s coming from and you were expecting to get it. As the PDF author you can take certain steps to help establish trust, which I’ll discuss below, but – ultimately – your end users will need to opt in to trusting your content. The remainder of this article discusses how to help them do that.

Certify your Documents:
This is my preferred method of establishing trust. When the Adobe Reader or Acrobat opens a certified document and the certificate used has been trusted to allow for Dynamic content, Embedded High privilege JavaScript, your document will be able to function properly without security warnings regardless of where the user places the file. Additionally, the user will have the assurance not only that the document came from you but also that it has not been modified or tampered with while it was on the way to them.

The added benefit of certifying documents is that the user will only need to install and configure your certificate once, then all documents that are certified by you will work properly and without restriction.

To see how this works, download and configure my certificate by clicking on the link below.

Download my Certificate

When you open the FDF file, you will be prompted to import my contact information. Note: The contact information will be imported into Acrobat or Reader, not your contact management system. Click the "Set Contact Trust" button to configure my certificate further.

In the "Trust" tab, check all of the boxs and then click "OK".

After you see the import message, you can close out of all of the dialogs.

After installing and permissioning my certificate, try opening the certified version of the Yahoo Map example, you should be able to use it without security warnings.

Certified PDF file with embedded YahooMap opened from Desktop

You can get a certificate from one of Adobe’s Certified Document Services (CDS) partners or use one of your own. One additional point to note is that the Adobe CDS service can be used to automatically certify to the recipient that the author’s identity has been verified by a trusted organization and that the document has not been altered in any way. It does not automatically grant the additional permissions required to play unembedded Dynamic content or other high privilege operations. Your users will need to set these permissions manually as detailed above.

Read more about Adobe’s Certified Document Services (CDS) and find a CDS partner

Because there is a fee associated with getting a certificate issued from our CDS partners, certifying a document my not be the best solution for all users. To get the same behavior as a certified document without using a certificate, Privileged Locations are an excellent option.

Privileged Locations:
Enhanced Security provides a method for specifying locations on your hard drive to store trusted content. Privileged locations can be a single file, a directory, or a host. You’ll need to ask your users to create a folder on their desktop, assign that as a trusted folder in the Acrobat preferences and then to place any files that they receive from you into that folder. By saving your files to that special folder, they are opting in and those files will function without the Enhanced Security restrictions.

To specify a privileged location through the user interface see "Specify privileged locations for trusted content" in the Acrobat 9 help

Because Certified documents are secured and thus not fully editable in Acrobat, the Privileged Locations solution is best if you are creating PDF files with Dynamic content and your users will be modifying the file in significant ways. That is, something other than filling in form fields or commenting, which are the only two types of changes permitted by "certified" documents.