Disable JavaScript in the ebook-viewer

edp445 · 05-02-2022, 06:29 AM

Hello there

. I've been using Calibre to manage my e-book library for a while now, but I've recently started to use the integrated ebook-viewer to read ebooks on the computer at home.

One feature of Calibre's ebook-viewer that concerns me is the support for embedded JavaScript within EPUB books - I've verified that Calibre supports embedded JavaScript with [this](https://github.com/fxpar/interactive-epub-checker) EPUB3 file.

Even with sandboxing enabled in the Chromium engine, I'm still concerned about the security implications of the ebook-viewer executing random pieces of JavaScript from books that may have come from untrusted sources.

Even if there is absolutely no security concern, the idea of a random EPUB file being able to modify its' own content is unnerving, and I'd much rather be able to disable it.

For example, Firefox's PDF.js recently implemented JavaScript within PDF files (which I believe is equally as nonsensical). Here, the scripting can be disabled by a special feature flag in about:config. It would be great if there was an equivalent for Calibre's ebook-viewer as well - it would improve security and also give me peace of mind!

Thank you

kovidgoyal · 05-02-2022, 07:09 AM

Sorry, I have no interest in implementing such a feature. calibre's viewer is based on chromium and all book javascript is executed in a separate process (via a iframe). If you think that's insecure I assume you also browse the internet with JS disabled. And if you do that, you might as well just convert your books to a format without support for JS and read that. Use FB2 or DOCX

05-02-2022, 06:29 AM	#1
edp445 Junior Member Posts: 1 Karma: 10 Join Date: May 2022 Device: none	Disable JavaScript in the ebook-viewer Hello there . I've been using Calibre to manage my e-book library for a while now, but I've recently started to use the integrated ebook-viewer to read ebooks on the computer at home. One feature of Calibre's ebook-viewer that concerns me is the support for embedded JavaScript within EPUB books - I've verified that Calibre supports embedded JavaScript with [this](https://github.com/fxpar/interactive-epub-checker) EPUB3 file. Even with sandboxing enabled in the Chromium engine, I'm still concerned about the security implications of the ebook-viewer executing random pieces of JavaScript from books that may have come from untrusted sources. Even if there is absolutely no security concern, the idea of a random EPUB file being able to modify its' own content is unnerving, and I'd much rather be able to disable it. For example, Firefox's PDF.js recently implemented JavaScript within PDF files (which I believe is equally as nonsensical). Here, the scripting can be disabled by a special feature flag in about:config. It would be great if there was an equivalent for Calibre's ebook-viewer as well - it would improve security and also give me peace of mind! Thank you

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
How to disable CSS property in viewer?	odonterla	Calibre	2	05-14-2020 10:50 PM
E-book viewer - disable TOC sync ?	vilius	Calibre	2	04-10-2014 09:29 AM
Disable Javascript in Book View	TheGreatGig	Sigil	7	11-21-2011 09:32 AM
[old-topic]ebook-viewer: Open source, crossplatform viewer for EPUB, LIT, MOBI, etc	kovidgoyal	Calibre	68	05-30-2011 08:46 PM
# user css for viewer.py/ ebook-viewer/ prs-650	tscamera	Calibre	0	01-02-2011 06:28 PM

05-02-2022, 07:09 AM	#2
kovidgoyal creator of calibre Posts: 45,251 Karma: 27110894 Join Date: Oct 2006 Location: Mumbai, India Device: Various	Sorry, I have no interest in implementing such a feature. calibre's viewer is based on chromium and all book javascript is executed in a separate process (via a iframe). If you think that's insecure I assume you also browse the internet with JS disabled. And if you do that, you might as well just convert your books to a format without support for JS and read that. Use FB2 or DOCX

Advert