Closed Bug 1579670 Opened 6 years ago Closed 6 years ago

Loading local file from local file results in CORS error

Categories

(Core :: DOM: Security, defect)

Product:
Core
Component:
DOM: Security
Version:
69 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: rtimon, Unassigned)

References

Details

Attachments

(1 file)

xhr.html
313 bytes, text/html
Details
Attached file xhr.html

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36

Steps to reproduce:

  1. load attached file
  2. create a textfile called foo.txt and place it in the same directory as the attached html file
  3. notice a CORS error

Actual results:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at file:///C:/Users/ruudp/Downloads/foo.txt. (Reason: CORS request not http).

Expected results:

The html file is loaded from local file system. It loads a text file also located on the local file system. There is not cross-site request. The text file on the local file system should be loaded as it is located on the same origin (local file system) as the requesting html file.

Chrome has the same bug: https://bugs.chromium.org/p/chromium/issues/detail?id=990606#c2

I understand CORS enables secure cross-site requests. But I believe in this case the security settings are too stringent. Furthermore, it disables development of certain products.

Allowing this led to exploits such as https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11730

Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Resolution: --- → WONTFIX
Component: Untriaged → DOM: Security
Product: Firefox → Core
See Also: → https://bugs.chromium.org/p/chromium/issues/detail?id=990606#c2
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: