Despite what people say in the comments here, both browsers really do not let you execute PDF JavaScript willy nilly. Outside of browser environments you are mostly safe anyway because JavaScript is rarely supported, with the big exception being Acrobat. The cleverness of pdftris is not so much Tetris in PDF but how it found its way around the restrictions that browser environments have put up to protect us.
From what I understand pdftris also only works because of user interaction. I think there is no way to run JavaScript in a PDF without user interaction.
I believe this is even true for Acrobat with default settings, because while you can trigger JavaScript when a document is opened (/OpenAction) Acrobat will ask for permission.
(below is not serious)
I would advise people against using this in production though because it's still missing some critical features. For example:
1. The Javascript stops working when printed to physical paper. The resulting paper just has a static image and the controls no longer work.
2. It doesn't work properly in Evince. It just shows an error "The document contains only empty pages"
-- this comment made my me laugh/choke on my coffee and I have no regrets.
What's broke? How is it broke. Why send a one liner?!?
So many questions.
(Yes this is a joke)
This is the type of comment that gives training data for ChatGPT to be so verbose. Ha!
Let's hope that eventually they move on to a simpler web form.
I believe you need to rescan it into PDF to get it to work again.
Oh, so that's what it is. Bleh. Ok.
I thought it was cooler and made use of the fact that PostScript is a Turing-complete language to write Tetris in PostScript.
(I never really understood the PDF format but I always assumed it's some kind of compressed PostScript)
Science fiction tells us this is only temporary. Print away, those papers will turn into magic in just a few decades!
You need to upgrade your paper that supports a minimum FR of 60hz.
It works for me. Maybe you need to upgrade your paper? What version are you using?
Just wait until e-paper replaces the real one ;)
Oh it's so much worse than that. Your font can run an AI agent.
Llama.ttf: A font which is also an LLM -- https://news.ycombinator.com/item?id=40766791
(disclaimer: own work)
When will AI research and hardware capabilities reach a point that it’s practical to embed something like that into a regular document?
We’ve already seen proof of concept LLMs embedded into OpenType fonts.
I guess the other question is then “what capabilities would these AI agents have?” You’d hope just permission to present within that document. But that depends entirely on what unpatched vulnerabilities are lurking (such as the Microsoft ANSI RCE also featured on the HN front page)
https://pdfium.googlesource.com/pdfium/+/refs/heads/main/fpd...
> // Use interpreted JS only to avoid RWX pages in our address space. Also, --jitless implies --no-expose-wasm, which reduce exposure since no PDF should contain web assembly.
> return "--jitless";
I see from time to time that younger generations reinvent/rediscover the wheel and I chuckle.
I first met an interactive PDF when filing a form for some state matter (I live in Italy).
I thought that it was over-engineered and dangerous.
Also, this kind of things tend to gratuitously exclude non-mainstream (especially free) software.
In Microsoft Windows (~2000/ME), you used to be able embed JavaScript and ActiveX into ANY folder by replacing the folder view with your own HTML. Your customization would persist on shared network folders so others would see your HTML.
So naturally, a bunch of us 14 year olds in like 2002, between playing Runescape and Neopets in computer lab and library time, found this out and started screwing with the shared network Z: drive used by both teachers and students across every elementary, middle and high school in the school district.
There were dumb things you could do with all that power like open people’s CD-ROM reader trays by abusing the Windows Media ActiveX control. It had an eject() method on the object.
It ended up breaking in an edit war of the shared drive. There were some generic AD accounts used district-wide so you could avoid getting caught. We found out you could prefix the username with the domain and login with accounts from other schools. At one point, someone crossed the line, but I don’t think anyone got caught.
I understand why it happened -- it made sense to allow PDF's to be used for form-filling, and once you can fill in forms it obviously makes sense to validate inputs, and to handle arbitrary validation complexity you need a scripting language, and obviously then you want to be able to automatically fill in fields based on other fields, or even produce a QR code so it can be printed and scanned... And they didn't want to create a new extension like ".ipdf" for interactive PDF.
But still. I hate it.
I like the archivable series, the document comes with what is needed to render it.
Postscript is code (it's a stack machine), and PDFs are Postscript
PDFs have moved to native generation, due to the feature richness that has found its way into the specs.
Nevertheless you can still write PS and feed it into a Distiller (or sth. alike) and render the output.
But there's a spec for all this and everything! https://www.t10.org/ftp/js_api_reference.pdf (2007) - be warned, the light of Ecma TC39 standardization does not extend to this place.
Chromium's implementation of setInterval for instance (which, in this world, takes a string to evaluate): https://pdfium.googlesource.com/pdfium/+/refs/heads/main/fxj... -> https://pdfium.googlesource.com/pdfium/+/refs/heads/main/fxj...
From a security perspective, they're able to build on top of V8 isolate primitives and Chrome's sandboxing systems - but from the logs, security improvements in PDFium are being continuously developed as recently as the past few weeks! I feel like I've stumbled upon a parallel universe, in the best possible way.
Took a bit of prompting but was able to get a semi-working (only in Chrome) Flappy Bird out of Claude in ~10 minutes. Seems like the collision detection needs some work :)
https://github.com/baileywjohnson/flapdfy-bird/blob/main/fla...
I don't know much about the security issues others have raised, but if you're good enough to make this thing then I deserve to be pwned by you.
Chapeau!
I am curious what the constraints are to make this work and in which environments it does? Does it work in PDF viewers outside the browser? Is there documentation what is available in which environment? What is enabled by default, can be switched on or off?
It might work in Foxit as I believe it supports some scripting. Most of the other native PDF renderers are more static, as far as I know. In either case, I was most interested in the browser-native engines, as I always thought of them as more "static"/limited.
As for documentation on specific features: to be honest, I just looked at the implementations of PDF.js and PDFium. Both only support a subset of the "standard" API, likely for security reasons. But PDF.js for example allows changing a field's background color (colored pixels!), and PDFium allows modifying their position/bounding box (I tried a high res color display by moving a row vertically as if it's a scanline, but things become quite laggy).
i've tried making "interactive" PDFs before but using POST and server side rendering rather than client, e.g. a PDF typewriter i made a little while back on http://news.coffee
I'm not sure what your process was for testing your scripts: but for me because there was no meaningful error output I had to incrementally build up my script line by line (which took forever.) So I thought I'd done well when I got my stuff working in Adobe + Firefox. I wonder if now everyone is going to add similar scripts to their resumes :p Doom will be next, maybe?
Prescient! (but I couldn't get it to work)
It doesn't work in the Adobe Chrome PDF viewer, or in Preview.
Anyway, I love this content on Hacker news, as opposed to people explaining how they want Apple to take their freedom away, because freedom is dangerous.
May I be the first to reply that I am glad that this works in neither Safari nor Preview.app :)
https://en.wikipedia.org/wiki/Pegasus_(spyware)#Vulnerabilit...
That was sarcasm, in case it's not clear over the internet. Telling people to avoid "suspicious" pdfs/websites is common but ultimately not very useful advice.
The real takeaway is: don't become a target of a nation state intelligence agency. If you own a phone, they can take over it, and there's nothing you can do.
Nothing you do will guarantee that the state won't come after you.
> If Chrome gets 0day'd then a lot of us are going down
Something neat I found, you're able to 'clip' the blocks into each other by spinning them right before the block settles.
He never heard back from them.
Edit: here's the code for my snake game too, btw = https://github.com/robertsdotpm/resume/blob/main/snake.js
One other way would be to use normal text fields and leveraging custom fonts. I think there are an enormous potential with fonts in the realm of pdf hacking. I think there is also a story of past vuln on pdf.js because fonts were evaluated outside the sandbox.
1. What led you to want to do this project?
2. Have you worked with PDFs before? Do you work with PDFs as part of your day job?
3. Have you implemented Tetris before or is this your first time?
4. How long did it take you?
Did you do the actual coding in Acrobat or is there a less painful way to write embedded JS in a PDF?
https://www.canada.ca/content/dam/ircc/migration/ircc/englis...
Seems like a pretty genius way of avoiding transcription errors. When I dropped my passport application off yesterday the passport officer marked up a few things on the PDF and then scanned it in, so I assume that they use the QR code to automatically fill in the data as I entered it and then make any updates necessary from after-the-fact modifications manually.
Only seemed to work correctly in Acrobat Reader, but I haven't tried others (like Foxit) or anything.
I don't do security stuff anymore but I feel chills when I see (great) things like this,
I have increasing confidence that when AIs finally destroy the Internet the delivery vehicle will be the file format that was created, as the Internet itself was, as a form of digital paper.
which is why i am commenting to check it out later.
since postscript is also a language that it literally runs to render, would it also be possible to use postscript to make interactive elements?
The .PDF basics vid was the first in the series: https://www.youtube.com/watch?v=q6KgFezu8tw
I regret this decision now and wish that I had paid some attention. 3D printers are cool and I have no idea how to design objects for it.
Get Solvespace: https://solvespace.com/index.pl
Do the tutorials. If/when you outgrow it, the concepts will carry over to FreeCAD which otherwise has a steeper learning curve but has more capabilities.
EDIT: looks like they finally addressed the topological naming problem, I guess I better give it a second chance!
However, modern version of Acrobat Reader do not support that anymore. https://helpx.adobe.com/acrobat/kb/flash-format-support-in-p...:
“Flash Player end-of-life (EOL) impacts playback and authoring of rich media having Flash content (.flv and .swf) in PDFs:
• Playback of Flash media (.flv and .swf) content in existing PDFs will not be supported.”
The real achievement here arguably isn't running code (that's provided by the PDF spec and implementations), but managing to hook it up to user input/output in an ergonomic-enough way to play Tetris.
The PDF [1] containing the Lambda calculus term manages to hang/glitch/crash both Firefox's and macOS Preview's PDF renderer, which in itself is quite the achievement in portability.
Update: Nevermind, Firefox handles it perfectly, it just (probably wisely) disables seamless scrolling and I have to use the "next/previous" page buttons manually. macOS got there after a minute or two of loading with no UI indications.
Feel much safer!
Search for "pdfjs.enableScripting"
Set to false.