Closed Bug 1445143 Opened 7 years ago Closed 7 years ago

locally opened html files can make ajax requests to local machine

Categories

(Core :: DOM: Security, defect)

Product:
Core
Component:
DOM: Security
Version:
58 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: seaston, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0 Build ID: 20180206200532 Steps to reproduce: Create a simple JavaScript that makes an XMLHttpRequest to a file in the same directory or sub-directory. Open it from the Open File Menu. Actual results: XMLHttpRequest request is valid. File is opened and loaded. Expected results: Request Blocked due to breaking Cross Origin Policy.
Component: Untriaged → DOM: Security
OS: Unspecified → All
Product: Firefox → Core
Hardware: Unspecified → All
This matches our definition of "same origin" for the file: protocol. There is no standard. The original "file" origin was "my machine is a host". I believe IE will still let you load from the entire disk but you have to allow scripts to run first. Firefox restricted it to same directory or sub-directory (this was useful for doing local development, without allowing your files to read sensitive files elsewhere on the disk). Chrome has made each file: url a "unique origin" like data: urls. Without a standard all are equally valid interpretations.
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.