The last project I was working on was having a requirement hiding the file URL in browser, for security reason. The file was actually PDF file and was containing user's order data. So to restrict the access to PDF file I've created a page callback, where I've written small piece of code to show the PDF output directly in page. Here is the sample code:

= 'path/to/PDF/file.pdf';
$filename = 'filename.pdf';
header('Content-type: application/pdf');
header('Content-Disposition: inline; filename="' . $filename . '"');
header('Content-Transfer-Encoding: binary');
header('Accept-Ranges: bytes');

The "Content-Disposition:inline; filename='filename.pdf'" and "Accept-Ranges:bytes" options in header(), will get the PDF data as input and show in the Web Page.