How will Acrobat’s new sandbox play with my workflow?

Following the addition of sandbox technology to Adobe’s flagship product, people (including we at Planet PDF) have been keen to nail down the practical implications of the move. Sure, it makes PDF viewing safer, but how will it affect my elegant PDF document workflow? In this article, I take a look at some of the finer points of ‘Protected View’, Acrobat’s new bodyguard.

What is Protected View?

Protected View is the name that Adobe has given to Acrobat’s sandbox technology. Basically, it’s a secure mode that isolates PDF documents viewed in Acrobat or web browser from system resources. For a little more on this, check out my original article on the topic.

Will Acrobat’s Protected View be enabled automatically?

In a word, ‘no’, at least for the full, standalone version of Acrobat. Viewing PDFs in the browser is a special case (see below). I wrote earlier that Protected View would be enabled by default. Well, it turns out that I was wrong. Sorry about that! I have now added a correction note to the original piece. According to a pair of blog posts by Adobe’s Joel Geraci on The PDF Developer Junkie Blog, Adobe Reader’s sandbox tech (‘Protected Mode’) will be enabled by default for improved security; however, Acrobat’s ‘Protected View’ will be disabled to avoid breaking existing workflows. To recap, the defaults are that Reader’s sandbox tech is enabled, while Acrobat’s is disabled.

Even though Protected View isn’t automatically activated, Geraci recommends enabling it for casual users working in unsecured environments, and I agree with him. In Acrobat, opening a PDF in Protected View gives you a warning bar that alerts you to the potentially unsafe source of the file, and includes a button that allows you to ‘Enable All Features’. When you need the extra features to work with a given PDF document, you can just hit the handy button to exit Protected View.

The story is different for viewing PDFs in a browser. The browser version of Protected View doesn’t give you an alert and doesn’t allow you to enable the document. Instead, the interface basically looks like Adobe Reader. Users can still do things like fill-in and save form data, add signatures and the like if the document has been ‘rights enabled’. This means that you can potentially do a little more with PDFs in the browser’s Protected View than in Acrobat’s. That said, the browser doesn’t let you exit Protected View to activate Acrobat’s full functionality.

Will Protected View affect all PDF files?

The short answer here is ‘it depends’. Protected View has two modes (well, three, if you count ‘Off’):

  1. Off: Protected View is disabled. With this setting, no PDF documents open in Protected View.
  2. Files from potentially unsafe locations: According to Geraci/Adobe, this is the recommended option. Web browsers and email clients generally flag downloaded files and email attachments as ‘potentially unsafe’. Using this setting, such files will be opened in Protected View.
  3. All files: This is the most restrictive option. With this setting, even documents that you have just created yourself will open in Protected View.
Privileged Locations

As mentioned earlier, it is possible to enable editing for an open document via the ‘Enable All Features’ button. This step also adds the document to a whitelist of trusted sources, or ‘Privileged Locations’. If you go into Edit > Preferences > Security (Enhanced), it’s also possible to add a folder path or a host (e.g., a website URL) to your list of Privileged Locations. The idea is that this list represents sources that you trust to provide safe PDF files.

This system interacts with the Protected View settings in interesting ways. Regardless of the setting, hitting ‘Enable All Features’ adds the file to the list of Privileged Locations, and it’s always possible to add or remove entries from the list. Using the ‘Files from potentially unsafe locations’ setting, documents from the whitelist don’t open in Protected View. In other words, the list of Privileged Locations operates like a standard whitelist, in that the security features let trusted documents through the net. By contrast, the ‘All files’ setting ignores the whitelist: every time you open a document, regardless of the source, it will open in Protected View. This includes documents you have created yourself, along with documents you have previously enabled. Due to this, the ‘All files’ setting is only recommended for situations in which trust cannot be established for any files or domains.

My plug-ins, my beautiful plug-ins!

So, what does Protected View mean for my favorite plug-ins? Mostly, business as usual, actually — unless your favorite plug-in aims to govern whether users can open a document at all. Most plug-ins that are designed to manipulate the contents of PDF documents — as well as Acrobat’s own commenting tools — simply don’t work in Protected View. That’s sort of the point, actually. Restrict the amount of interaction with a document unless the user decides to trust its source. As soon as Acrobat’s full functionality is enabled, hey presto, so are its plug-ins. Adobe’s official position seems to be that third-party developers should educate their users about Privileged Locations rather than just running Acrobat with Protected View turned off. That way, users will be able to interact as they like with the files they deem ‘safe’, but remain protected from those with more suspect origins.

Some plug-ins need to be able to run in Protected View, however. These are DRM (digital rights management) plug-ins that verify whether a user is permitted to open a given document. Apparently, the implementation of Protected View disrupts this process by cutting off the communication between the plug-in and the verification server. This can be overcome, however, using a trusted proxy, something called a ‘broker process’. This can create a dedicated communication channel between a specific, approved plug-in for the sole purpose of authentication. According to Geraci/Adobe, there is a sample in the SDK (software development kit) that demonstrates how to do this.

With the addition of Protected View, Acrobat adds some welcome security without taking a significant hit to its usability. I admit, though, I am curious to see what happens with browser-based PDF viewing when Mozilla finishes its open source PDF renderer, pdf.js. Due to the way in which it is being built (i.e., using HTML5 and JavaScript), Mozilla’s viewer will be immune to the kind of code injection attacks that sandbox technologies aim to prevent.

You May Also Like

About the Author: Dan Shea

Leave a Reply