try to sanitizer you url and make pdfUrl : SafeResourceUrl as

  pdfUrl: SafeResourceUrl;
  constructor(
  private sanitizer: DomSanitizer,
  ) { }

and sanitizer it like that

 this.pdfUrl= this.sanitizer.bypassSecurityTrustResourceUrl(res);