Skip to content

Safe PDF Reader for VS Code: Security for "Just Reading Files"

PDFs have a decades-long history as malware vectors, yet most VS Code extensions treat them like any harmless document. Because VS Code lacks a built-in PDF reader, developers usually rely on third-party extensions that embed full browser engines or silently pull rendering libraries from external CDNs.

This quietly introduces a massive attack surface and unwanted outbound dependencies.

So I developed a VSCode extension that does only one thing, in a secure way: Reading PDF Files. Install it today from the VSCode Marketplace: Safe PDF Viewer.

How Safe PDF Viewer Protects You

Most viewers inherit the default (and often insecure) settings of their underlying libraries. Safe PDF Viewer uses a bundled version of PDF.js with every dangerous attack surface explicitly locked down:

  • PDF JavaScript is hard-disabled: By setting isEvalSupported: false, the renderer refuses script execution entirely. This isn't just a content filter; it's a hard capability disable.
  • Strict Content Security Policy (CSP): The webview runs under default-src 'none' with nonce-gated inline scripts. Each render gets a fresh nonce, meaning only the script generated for that specific render can execute.
  • Fully offline (No CDNs): PDF.js is bundled locally. Opening a PDF makes zero outbound network requests, making it perfectly safe for air-gapped environments.
  • Scoped file access: The extension limits read access strictly to the directory containing the open PDF and the extension's internal library. It cannot read arbitrary files from your disk.
  • Safe external links: Links using javascript:, data:, or file: schemes are blocked. Only standard http/https URLs are allowed to open in your system browser.
  • Strictly read-only: Built on CustomReadonlyEditorProvider, the extension has no write path and never alters your files.

Even if an upstream vulnerability is discovered in PDF.js, these layers significantly limit what a malicious PDF can exploit.

What It Does (and Doesn't Do)

Every feature in Safe PDF Viewer was weighed against its security implications.

Core Features Included:

  • Zero-config viewing: Instantly open any .pdf file.
  • Smooth navigation: Arrow keys, Page Up/Down, and direct page number entry.
  • Text search: Standard Ctrl+F / Cmd+F functionality with match highlighting.
  • Flexible zoom: Fit-to-page, step zoom, or set a fixed default percentage.
  • Secure password support: Inline prompts and retries for encrypted PDFs.
  • Theme integration: Automatically respects your VS Code theme (light, dark, high-contrast).

Features Intentionally Excluded:

To eliminate unnecessary attack vectors, the following features have been left out by design:

  • No editing or annotations: Strictly read-only to prevent unauthorized modifications.
  • No form filling: PDF forms are a common carrier for malicious payloads.
  • No embedded media playback: Excluded to prevent sandbox violations.
  • No printing: Avoids OS-level complexities outside the extension's scope.

If you need to fill forms or annotate documents, we recommend using a dedicated, standalone tool where those capabilities are expected and properly audited.

Check Out the Code

Safe PDF Viewer is fully open-source under the MIT License.

View the source code on GitHub