Closed Bug 1441066 Opened 6 years ago Closed 6 years ago
Can access files in the same directory when using file: scheme
(In reply to michaelbierma from comment #0) > Cross origin requests between file and http/https/etc. should not be > possible and should be blocked by the browser. Do you have a source for this claim? I think what is surprising you is that we allow access to other files in the same directory. Other than that, the exact same thing would work in Chrome or Edge (ie sending data that didn't come from a file in the same directory to http/https). E.g. load this in either Firefox or Chrome from a file:/// URI: <script> let xhr = new XMLHttpRequest(); xhr.open("GET", "https://www.mozilla.org/", true); xhr.send(); </script> And the request goes through (the page can't access the result because there's no matching access-control-allow-origin header, but obviously if you were exploiting this that wouldn't matter). The same would apply to `POST` or `PUT` requests, though even if it didn't you could just pass the data in the querystring for the GET request. So I think this has nothing to do with accessing http/https from file:, and everything to do with our file: access policy, which is already on file as bug 803143.
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Resolution: --- → DUPLICATE
Summary: Cross origin requests for file scheme → Can access files in the same directory when using file: scheme
You need to log in before you can comment on or make changes to this bug.