Sorry -- this report should not be limited to OS: Mac.  This behavior is also present under Linux and Windows Chrome builds.

The same risk inherently holds true for HTML documents, and it's not clear that users have any different expectations of privacy when opening a PDF file vs. a HTML file.

For plugins not to be able to make HTTP requests has never been a Chromium security goal, and I don't think it is for the privacy team, either. PDFium can do much less than Flash, for example. PDFium is just another web contents renderer.

Anyway, I'll leave it for Privacy team to decide. Maybe I'm wrong.

Thank you for your feedback and for relaying my concerns onto the privacy team.  In general, I had not thought of this as being web content rendering in the way that for example Flash is.  In general, I think that Google has very high-standards for privacy and therefore I was very unpleasantly surprised to find that it is actually doing less (in this situation) to safeguard my privacy than Adobe, Apple, or Microsoft.

To me it makes a big difference in which context the user sees a PDF:
- If I open foobar.com/test.pdf, I would not mind if test.pdf fetchs resources because foobar.com has the same power to leak the fact that I open the PDF.
- If I open a local/downloaded file, I would not expect that to have the capability to communicate to the outside world.

I'd be supportive to a prompt in the latter case and open to a prompt in both cases. I'd be curious how often it would be seen by users.

Yes, the open file from local file:// case is certainly more concerning, but also consider that the file on foobar.com can trigger DNS and make requests to other sites.  This is important if foobar.com may be a "trusted" CDN or any site allowing user uploads.

The Firefox and Apple Preview behavior seems more appropriate to me.  (PDF does not trigger external resource requests in my tests.)

Additionally, I would like to point out that there is the potential for unexpected or abusive behavior if the PDF document makes a /URI reference back to itself as shown with https://brainwashing.secur3.us/foo.pdf

In my browser, this document makes the tab reload in a loop and if I try to open a new tab, the file is also loaded in that tab and keeps reloading itself.  Similarly, if I open a new window, the document is loaded in the new window rather than opening the "new tab page" as my settings indicate should happen.

This issue has been Available for over a year. If it's no longer important or seems unlikely to be fixed, please consider closing it out. If it is important, please re-triage the issue.

Sorry for the inconvenience if the bug really should have been left as Available. If you change it back, also remove the "Hotlist-Recharge-Cold" label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot