Bug 1730419 Comment 9 Edit History

Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.

The general rational for this change can be found here in bug 1500453. 

(In reply to dr.kral from comment #7)
> Other browsers such as Edge, Chrome, Opera behave as Firefox did before version 92.

There is no standard for this particular situation, unfortunately. File URIs are somewhat underspecified. [1]. And for Chrome there is some discussion of inconsistent behavior ongoing, too. [2] 

> I’m very ignorant of these security issues but it seems strange to me that accessing my own files through a local server rather than directly would change anything.

Well, a web page that uses local storage uses active Javascript and expects some state to be handled. Running this locally is not the preferred way of using a modern Web-App. The implications of bug 1500453 (other files in the same folder might be affected) are valid also here. It is much healthier to assume that a user controls the content of a dedicated web server they explicitly set up on purpose rather than the content of their download folder, as an example.

> Changing the security setting does seem dangerous to me as it opens many possibilities that us naive uses don’t know about.  

Sure, and please do not read my previous comment 6 as a recommendation to non-expert users.

> Perhaps another parameter could be set up to allow local sharing without affecting anything else.

This would still require a lot of expert knowledge by the user. Basically this pref would need to allow again access throughout the entire folder, which still sounds bad.

[1] https://url.spec.whatwg.org/#origin
[2] https://bugs.chromium.org/p/chromium/issues/detail?id=957695, like
The general rational for this change can be found here in bug 1500453. 

(In reply to dr.kral from comment #7)
> Other browsers such as Edge, Chrome, Opera behave as Firefox did before version 92.

There is no standard for this particular situation, unfortunately. File URLs are somewhat underspecified. [1]. And for Chrome there is some discussion of inconsistent behavior ongoing, too. [2] 

> I’m very ignorant of these security issues but it seems strange to me that accessing my own files through a local server rather than directly would change anything.

Well, a web page that uses local storage uses active Javascript and expects some state to be handled. Running this locally is not the preferred way of using a modern Web-App. The implications of bug 1500453 (other files in the same folder might be affected) are valid also here. It is much healthier to assume that a user controls the content of a dedicated web server they explicitly set up on purpose rather than the content of their download folder, as an example.

> Changing the security setting does seem dangerous to me as it opens many possibilities that us naive uses don’t know about.  

Sure, and please do not read my previous comment 6 as a recommendation to non-expert users.

> Perhaps another parameter could be set up to allow local sharing without affecting anything else.

This would still require a lot of expert knowledge by the user. Basically this pref would need to allow again access throughout the entire folder, which still sounds bad.

[1] https://url.spec.whatwg.org/#origin
[2] https://bugs.chromium.org/p/chromium/issues/detail?id=957695, like
The general rational for this change can be found here in bug 1500453. 

(In reply to dr.kral from comment #7)
> Other browsers such as Edge, Chrome, Opera behave as Firefox did before version 92.

There is no standard for this particular situation, unfortunately. File URLs are somewhat underspecified. [1]. And for Chrome there is some discussion of inconsistent behavior ongoing, too. [2] 

> I’m very ignorant of these security issues but it seems strange to me that accessing my own files through a local server rather than directly would change anything.

Well, a web page that uses local storage uses active Javascript and expects some state to be handled. Running this locally is not the preferred way of using a modern Web-App. The implications of bug 1500453 (other files in the same folder might be affected) are valid also here. It is much healthier to assume that a user controls the content of a dedicated web server they explicitly set up on purpose rather than the content of their download folder, as an example.

> Changing the security setting does seem dangerous to me as it opens many possibilities that us naive uses don’t know about.  

Sure, and please do not read my previous comment 6 as a recommendation to non-expert users.

> Perhaps another parameter could be set up to allow local sharing without affecting anything else.

This would still require a lot of expert knowledge by the user. Basically this pref would need to allow again access throughout the entire folder, which still sounds bad.

[1] https://url.spec.whatwg.org/#origin
[2] https://bugs.chromium.org/p/chromium/issues/detail?id=957695

Back to Bug 1730419 Comment 9