Setting SRC using JavaScript will cause security issue.Other way to achieve this first you upload file to the sever in some temp folder than display it and once user confirm it. Move it to the target folder. Below is code for your reference
<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
<title>Untitled Page</title>
</head>
<body>
<form id="form1" runat="server">
<div>
<div>
<asp:FileUpload ID="FileUpload1" runat="server" />
<asp:Button ID="Button1" runat="server" Text="Button" onclick="Button1_Click" />
</div>
<div id="divPDF" runat="server">
<object data="<%=pdfPath%>" type="application/pdf" style="height:500px; width: "500px" >
</object>
</div>
</div>
</form>
</body>
</html>
protected string pdfPath;
protected void Page_Load(object sender, EventArgs e)
{
divPDF.Visible = false;
}
protected void Button1_Click(object sender, EventArgs e)
{
if (FileUpload1.FileName != "")
{
FileUpload1.SaveAs(Server.MapPath(FileUpload1.FileName));
pdfPath = FileUpload1.FileName;
divPDF.Visible = true;
}
}