new method setUrlAccessPolicy() (#2920)

liborm85 · web-flow · commit d20ac0b4c1e7 · 2026-03-10T07:54:23.000+01:00
* added `setUrlAccessPolicy()` for defining a custom access policy for external URLs before download

* Add warning for undefined URL access policy when running on server or CLI

* fix examples

* fix

* fix server detection

* Update CHANGELOG.md
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,16 @@
 
 ## Unreleased
 
+- Added `setUrlAccessPolicy()` for defining a custom access policy for external URLs before download
+	(addresses a potential server vulnerability **CVE-2026-26801**)
+
+	Example:
+	```js
+	pdfmake.setUrlAccessPolicy((url) => {
+		// check allowed domain
+		return url.startsWith("https://example.com/");
+	});
+	For details see [documentation](https://pdfmake.github.io/docs/0.3/getting-started/server-side/methods/#url-access-policy)
 - Added validation for image height and width values
 
 ## 0.3.5 - 2026-02-22
diff --git a/examples/absolute.js b/examples/absolute.js
diff --git a/examples/attachments.js b/examples/attachments.js
diff --git a/examples/background.js b/examples/background.js
diff --git a/examples/basics.js b/examples/basics.js
@@ -16,6 +16,12 @@ pdfmake.addFonts({
 });
 */
 
+pdfmake.setUrlAccessPolicy((url) => {
+	// this can be used to restrict allowed domains
+	return url.startsWith('https://');;
+});
+
+
 var docDefinition = {
 	content: [
 		'First paragraph',
diff --git a/examples/columns_simple.js b/examples/columns_simple.js
@@ -4,6 +4,11 @@ var pdfmake = require('../js/index'); // only during development, otherwise use
 var Roboto = require('../fonts/Roboto');
 pdfmake.addFonts(Roboto);
 
+pdfmake.setUrlAccessPolicy((url) => {
+	// this can be used to restrict allowed domains
+	return url.startsWith('https://');;
+});
+
 
 var docDefinition = {
 	content: [
diff --git a/examples/images.js b/examples/images.js
diff --git a/examples/links.js b/examples/links.js
@@ -4,6 +4,12 @@ var pdfmake = require('../js/index'); // only during development, otherwise use
 var Roboto = require('../fonts/Roboto');
 pdfmake.addFonts(Roboto);
 
+pdfmake.setUrlAccessPolicy((url) => {
+	// this can be used to restrict allowed domains
+	return url.startsWith('https://');;
+});
+
+
 var docDefinition = {
 	content: [
 		{
diff --git a/examples/lists.js b/examples/lists.js
@@ -4,6 +4,11 @@ var pdfmake = require('../js/index'); // only during development, otherwise use
 var Roboto = require('../fonts/Roboto');
 pdfmake.addFonts(Roboto);
 
+pdfmake.setUrlAccessPolicy((url) => {
+	// this can be used to restrict allowed domains
+	return url.startsWith('https://');;
+});
+
 
 var docDefinition = {
 	content: [
diff --git a/examples/margins.js b/examples/margins.js
@@ -4,6 +4,11 @@ var pdfmake = require('../js/index'); // only during development, otherwise use
 var Roboto = require('../fonts/Roboto');
 pdfmake.addFonts(Roboto);
 
+pdfmake.setUrlAccessPolicy((url) => {
+	// this can be used to restrict allowed domains
+	return url.startsWith('https://');;
+});
+
 
 var docDefinition = {
 	content: [
diff --git a/examples/outlines.js b/examples/outlines.js
@@ -4,6 +4,12 @@ var pdfmake = require('../js/index'); // only during development, otherwise use
 var Roboto = require('../fonts/Roboto');
 pdfmake.addFonts(Roboto);
 
+pdfmake.setUrlAccessPolicy((url) => {
+	// this can be used to restrict allowed domains
+	return url.startsWith('https://');;
+});
+
+
 var docDefinition = {
 	content: [
 		{
diff --git a/examples/pageReference.js b/examples/pageReference.js
@@ -4,6 +4,11 @@ var pdfmake = require('../js/index'); // only during development, otherwise use
 var Roboto = require('../fonts/Roboto');
 pdfmake.addFonts(Roboto);
 
+pdfmake.setUrlAccessPolicy((url) => {
+	// this can be used to restrict allowed domains
+	return url.startsWith('https://');;
+});
+
 
 var docDefinition = {
 	content: [
diff --git a/examples/pdfa.js b/examples/pdfa.js
@@ -4,6 +4,12 @@ var pdfmake = require('../js/index'); // only during development, otherwise use
 var Roboto = require('../fonts/Roboto');
 pdfmake.addFonts(Roboto);
 
+pdfmake.setUrlAccessPolicy((url) => {
+	// this can be used to restrict allowed domains
+	return url.startsWith('https://');;
+});
+
+
 var docDefinition = {
 	version: '1.5', // PDF version
 	subset: 'PDF/A-3a', // Subset types: // PDF/A-1, PDF/A-1a, PDF/A-1b, PDF/A-2, PDF/A-2a, PDF/A-2b, PDF/A-3, PDF/A-3a, PDF/A-3b, PDF/UA
diff --git a/examples/qrCode.js b/examples/qrCode.js
@@ -4,11 +4,16 @@ var pdfmake = require('../js/index'); // only during development, otherwise use
 var Roboto = require('../fonts/Roboto');
 pdfmake.addFonts(Roboto);
 
+pdfmake.setUrlAccessPolicy((url) => {
+	// this can be used to restrict allowed domains
+	return url.startsWith('https://');;
+});
+
+
 var greeting = 'Can you see me';
 var url = 'http://pdfmake.org';
 var longText = 'The amount of data that can be stored in the QR code symbol depends on the datatype (mode, or input character set), version (1, …, 40, indicating the overall dimensions of the symbol), and error correction level. The maximum storage capacities occur for 40-L symbols (version 40, error correction level L):';
 
-
 function header(text) {
 	return { text: text, margins: [0, 0, 0, 8] };
 }
diff --git a/examples/relative.js b/examples/relative.js
@@ -4,6 +4,12 @@ var pdfmake = require('../js/index'); // only during development, otherwise use
 var Roboto = require('../fonts/Roboto');
 pdfmake.addFonts(Roboto);
 
+pdfmake.setUrlAccessPolicy((url) => {
+	// this can be used to restrict allowed domains
+	return url.startsWith('https://');;
+});
+
+
 var left = 20;
 var width = 130;
 var top = 20;
diff --git a/examples/sections.js b/examples/sections.js
@@ -4,6 +4,12 @@ var pdfmake = require('../js/index'); // only during development, otherwise use
 var Roboto = require('../fonts/Roboto');
 pdfmake.addFonts(Roboto);
 
+pdfmake.setUrlAccessPolicy((url) => {
+	// this can be used to restrict allowed domains
+	return url.startsWith('https://');;
+});
+
+
 var docDefinition = {
 	header: function () { return 'default header'; },
 	footer: function () { return 'default footer'; },
diff --git a/examples/security.js b/examples/security.js
@@ -4,6 +4,12 @@ var pdfmake = require('../js/index'); // only during development, otherwise use
 var Roboto = require('../fonts/Roboto');
 pdfmake.addFonts(Roboto);
 
+pdfmake.setUrlAccessPolicy((url) => {
+	// this can be used to restrict allowed domains
+	return url.startsWith('https://');;
+});
+
+
 var docDefinition = {
 	//userPassword: '123',
 	ownerPassword: '123456',
diff --git a/examples/snaking_columns.js b/examples/snaking_columns.js
@@ -4,6 +4,12 @@ var pdfmake = require('../js/index'); // only during development, otherwise use
 var Roboto = require('../fonts/Roboto');
 pdfmake.addFonts(Roboto);
 
+pdfmake.setUrlAccessPolicy((url) => {
+	// this can be used to restrict allowed domains
+	return url.startsWith('https://');;
+});
+
+
 var loremIpsum = 'Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum. ';
 
 function generateTableBody(rowCount) {
diff --git a/examples/standardfonts.js b/examples/standardfonts.js
@@ -16,6 +16,11 @@ pdfmake.addFonts(Times);
 //var ZapfDingbats = require('../standard-fonts/ZapfDingbats');
 //pdfmake.addFonts(ZapfDingbats);
 
+pdfmake.setUrlAccessPolicy((url) => {
+	// this can be used to restrict allowed domains
+	return url.startsWith('https://');;
+});
+
 
 var docDefinition = {
 	content: [
diff --git a/examples/styling_inlines.js b/examples/styling_inlines.js
@@ -4,6 +4,12 @@ var pdfmake = require('../js/index'); // only during development, otherwise use
 var Roboto = require('../fonts/Roboto');
 pdfmake.addFonts(Roboto);
 
+pdfmake.setUrlAccessPolicy((url) => {
+	// this can be used to restrict allowed domains
+	return url.startsWith('https://');;
+});
+
+
 var docDefinition = {
 	content: [
 		{
diff --git a/examples/styling_named_styles.js b/examples/styling_named_styles.js
@@ -4,6 +4,12 @@ var pdfmake = require('../js/index'); // only during development, otherwise use
 var Roboto = require('../fonts/Roboto');
 pdfmake.addFonts(Roboto);
 
+pdfmake.setUrlAccessPolicy((url) => {
+	// this can be used to restrict allowed domains
+	return url.startsWith('https://');;
+});
+
+
 var docDefinition = {
 	content: [
 		{
diff --git a/examples/styling_named_styles_with_extends.js b/examples/styling_named_styles_with_extends.js
@@ -4,6 +4,12 @@ var pdfmake = require('../js/index'); // only during development, otherwise use
 var Roboto = require('../fonts/Roboto');
 pdfmake.addFonts(Roboto);
 
+pdfmake.setUrlAccessPolicy((url) => {
+	// this can be used to restrict allowed domains
+	return url.startsWith('https://');;
+});
+
+
 var docDefinition = {
 	content: [
 		{
diff --git a/examples/styling_named_styles_with_overrides.js b/examples/styling_named_styles_with_overrides.js
@@ -4,6 +4,11 @@ var pdfmake = require('../js/index'); // only during development, otherwise use
 var Roboto = require('../fonts/Roboto');
 pdfmake.addFonts(Roboto);
 
+pdfmake.setUrlAccessPolicy((url) => {
+	// this can be used to restrict allowed domains
+	return url.startsWith('https://');;
+});
+
 
 var docDefinition = {
 	content: [
diff --git a/examples/styling_properties.js b/examples/styling_properties.js
@@ -4,6 +4,11 @@ var pdfmake = require('../js/index'); // only during development, otherwise use
 var Roboto = require('../fonts/Roboto');
 pdfmake.addFonts(Roboto);
 
+pdfmake.setUrlAccessPolicy((url) => {
+	// this can be used to restrict allowed domains
+	return url.startsWith('https://');;
+});
+
 
 var docDefinition = {
 	content: [
diff --git a/examples/svgs.js b/examples/svgs.js
diff --git a/examples/tables.js b/examples/tables.js
@@ -7,6 +7,11 @@ var pdfmake = require('../js/index'); // only during development, otherwise use
 var Roboto = require('../fonts/Roboto');
 pdfmake.addFonts(Roboto);
 
+pdfmake.setUrlAccessPolicy((url) => {
+	// this can be used to restrict allowed domains
+	return url.startsWith('https://');;
+});
+
 
 var docDefinition = {
 	content: [
diff --git a/examples/textDecorations.js b/examples/textDecorations.js
@@ -4,6 +4,11 @@ var pdfmake = require('../js/index'); // only during development, otherwise use
 var Roboto = require('../fonts/Roboto');
 pdfmake.addFonts(Roboto);
 
+pdfmake.setUrlAccessPolicy((url) => {
+	// this can be used to restrict allowed domains
+	return url.startsWith('https://');;
+});
+
 
 var docDefinition = {
 	content: [
diff --git a/examples/toc.js b/examples/toc.js
@@ -4,6 +4,11 @@ var pdfmake = require('../js/index'); // only during development, otherwise use
 var Roboto = require('../fonts/Roboto');
 pdfmake.addFonts(Roboto);
 
+pdfmake.setUrlAccessPolicy((url) => {
+	// this can be used to restrict allowed domains
+	return url.startsWith('https://');;
+});
+
 
 var docDefinition = {
 	content: [
diff --git a/examples/vectors.js b/examples/vectors.js
@@ -4,6 +4,11 @@ var pdfmake = require('../js/index'); // only during development, otherwise use
 var Roboto = require('../fonts/Roboto');
 pdfmake.addFonts(Roboto);
 
+pdfmake.setUrlAccessPolicy((url) => {
+	// this can be used to restrict allowed domains
+	return url.startsWith('https://');;
+});
+
 
 var docDefinition = {
 	content: [
diff --git a/examples/verticalAlignment.js b/examples/verticalAlignment.js
@@ -4,17 +4,11 @@ var pdfmake = require('../js/index'); // only during development, otherwise use
 var Roboto = require('../fonts/Roboto');
 pdfmake.addFonts(Roboto);
 
-// or you can define the font manually:
-/*
-pdfmake.addFonts({
-	Roboto: {
-		normal: '../fonts/Roboto/Roboto-Regular.ttf',
-		bold: '../fonts/Roboto/Roboto-Medium.ttf',
-		italics: '../fonts/Roboto/Roboto-Italic.ttf',
-		bolditalics: '../fonts/Roboto/Roboto-MediumItalic.ttf'
-	}
+pdfmake.setUrlAccessPolicy((url) => {
+	// this can be used to restrict allowed domains
+	return url.startsWith('https://');;
 });
-*/
+
 
 var docDefinition = {
 	content: [
diff --git a/examples/verticalAlignment2.js b/examples/verticalAlignment2.js
diff --git a/examples/watermark.js b/examples/watermark.js
@@ -4,6 +4,11 @@ var pdfmake = require('../js/index'); // only during development, otherwise use
 var Roboto = require('../fonts/Roboto');
 pdfmake.addFonts(Roboto);
 
+pdfmake.setUrlAccessPolicy((url) => {
+	// this can be used to restrict allowed domains
+	return url.startsWith('https://');;
+});
+
 
 var lorem = 'Lorem ipsum dolor sit amet, consectetur adipiscing elit. Donec id semper massa, nec dapibus mauris. Mauris in mattis nibh. Aenean feugiat volutpat aliquam. Donec sed tellus feugiat, dignissim lectus id, eleifend tortor. Ut at mauris vel dui euismod accumsan. Cras sodales, ante sit amet varius dapibus, dolor neque finibus justo, vel ornare arcu dolor vitae tellus. Aenean faucibus egestas urna in interdum. Mauris convallis dolor a condimentum sagittis. Suspendisse non laoreet nisl. Curabitur sed pharetra ipsum. Curabitur aliquet purus vitae pharetra tincidunt. Cras aliquam tempor justo sit amet euismod. Praesent risus magna, lobortis eget dictum sit amet, tristique vel enim. Duis aliquet, urna maximus sollicitudin lobortis, mi nunc dignissim ligula, et lacinia magna leo non sem.';
 
diff --git a/src/URLResolver.js b/src/URLResolver.js
@@ -14,6 +14,14 @@ class URLResolver {
 	constructor(fs) {
 		this.fs = fs;
 		this.resolving = {};
+		this.urlAccessPolicy = undefined;
+	}
+
+	/**
+	 * @param {(url: string) => boolean} callback
+	 */
+	setUrlAccessPolicy(callback) {
+		this.urlAccessPolicy = callback;
 	}
 
 	resolve(url, headers = {}) {
@@ -22,6 +30,11 @@ class URLResolver {
 				if (this.fs.existsSync(url)) {
 					return; // url was downloaded earlier
 				}
+
+				if ((typeof this.urlAccessPolicy !== 'undefined') && (this.urlAccessPolicy(url) !== true)) {
+					throw new Error(`Access to URL denied by resource access policy: ${url}`);
+				}
+
 				const buffer = await fetchUrl(url, headers);
 				this.fs.writeFileSync(url, buffer);
 			}
diff --git a/src/base.js b/src/base.js
diff --git a/tests/unit/Node-interface.spec.js b/tests/unit/Node-interface.spec.js
