try to sanitizer you url and make pdfUrl : SafeResourceUrl as
pdfUrl: SafeResourceUrl; constructor( private sanitizer: DomSanitizer, ) { }
and sanitizer it like that
this.pdfUrl= this.sanitizer.bypassSecurityTrustResourceUrl(res);