Strands PDF Embed

PDF Embed renders PDFs directly in your pages using PDF.js: no plugins for the visitor, no Google Docs iframes, no third-party trackers. PDF.js is bundled inside the plugin and served from your own site, so no third-party requests are ever made.

Built by Fren at Strands Services Ltd. Support: fren@strands.gg.

Features

• Continuous vertical scroll across all pages, with lazy rendering via IntersectionObserver
• Page navigation, zoom, fit-to-width, download, and print controls (these toggle which buttons render in the toolbar; they’re a UI choice, not access control; see the Security section)
• Global sizing modes: Responsive, Fixed, or Fixed Aspect Ratio (A4, Letter, 16:9, 4:3, 1:1, or custom)
• Light, Dark, or Auto color mode (Auto follows the visitor’s OS/browser prefers-color-scheme)
• Per-mode color customization (with alpha/transparency support on the Page Shadow field), plus a safely-scoped Custom CSS field for power users
• Live preview on the settings page
• Editors: Gutenberg block, Classic Editor TinyMCE button, Enfold ALB element, Elementor widget, WPBakery element, and [pdf_embed] shortcode
• Media Library picker filtered to PDFs only
• Translation-ready (English + Hungarian included)
• Theme-overridable viewer template

Shortcode

[pdf_embed id="123" sizing="responsive" download="yes" navigation="yes" zoom="yes"]

All attributes are optional except id. Per-embed attrs override the global defaults on the Sizing and Appearance tabs.

Security

• Frontend visitors have no attack surface: no REST endpoints, no AJAX handlers, no form submissions.
• Shortcode attribute sanitizers reject any value outside strict whitelists (units, hex/rgba colors, W:H ratios).
• Attachment access is gated by current_user_can('read_post', $id); contributors cannot embed other users’ private PDFs.
• pdfjsLib.getDocument() is called with isEvalSupported: false to prevent font-based JS execution.
• All output is routed through WordPress’s escape functions (esc_html, esc_attr, esc_url, wp_kses, wp_print_inline_script_tag). The release pipeline includes a check that fails the build if a phpcs:ignore for the output-escaping sniff ever appears in shipped code.
• Canvas size is clamped to ~268M pixels per page. Page count is capped at 2000 per embed. Both prevent client-side DoS from hostile PDFs.
• PDF.js ships inside the plugin and loads only from your own domain; no third-party servers are contacted.
• Debug information (attempted mime, extension) is only emitted when WP_DEBUG is on.
  Content-Security-Policy: the plugin emits one inline <style> (appearance CSS variables) and one inline <script type="module"> (PDF.js loader). The script tag is rendered via wp_print_inline_script_tag(), so a CSP supplied through the wp_inline_script_attributes filter is applied automatically. On sites without wiring, strict CSP needs style-src 'unsafe-inline' and script-src 'unsafe-inline' for the viewer to boot.
  Toolbar toggles are UI affordances, not access control. The shortcode’s download, navigation, and zoom attributes (and the matching options in the editors) control which buttons appear in the viewer toolbar; they don’t restrict what the visitor’s browser can do once the page is rendered. PDF.js needs the entire PDF in the browser to display it, so the bytes are always reachable from the browser’s network/devtools panel by anyone who can see the page. The pdfEmbedGetInstance(container) JS handle also exposes the underlying viewer methods regardless of which buttons render. If you need to keep a PDF away from a viewer, gate the post behind WordPress’s permission system (private/draft, role-restricted, members-only plugin). Don’t rely on the toolbar toggles.

Third-party libraries

The plugin bundles minified copies of these libraries under assets/js/vendor/. Full un-minified source is available from each project’s repository at the pinned version listed below:

• PDF.js 5.7.284 (pdf.min.js, pdf.worker.min.js) — Apache 2.0 — https://github.com/mozilla/pdf.js/releases/tag/v5.7.284
• wp-color-picker-alpha 3.0.4 (wp-color-picker-alpha.min.js) — GPL-2.0-or-later — https://github.com/kallookoo/wp-color-picker-alpha
• Phosphor Icons (inline SVG, Regular weight) — MIT — https://github.com/phosphor-icons/core

The plugin’s own PHP, JS, and CSS is shipped as-is without minification so the deployed code is also the source.