Allow file: and content: URI access
Categories
(Fenix :: General, enhancement, P5)
Tracking
(Not tracked)
People
(Reporter: kbrosnan, Unassigned)
References
(Depends on 1 open bug)
Details
User Story
As a user I want to be able to load content that is local to the device without the need to host it on a local web server.
Users want to be able to view local files on their device. This includes file://
and content://
URIs.
This needs a comprehensive audit to make sure that Fenix has the same security parameters for local files as Gecko/Desktop Firefox does. Features including CORS and same-origin , chrome and content separation, etc. These audits may be best tackled as separate bugs if there is a qualified developer to perform those audits.
Comment hidden (advocacy) |
Reporter | ||
Comment 2•1 year ago
|
||
Go back the original commit that caused this
Fenix has a hard separation from Gecko, this has been true since the first commit. Everything that desktop gets for free by being tightly coupled with Gecko needs an API in Geckoview and then that API handled in Fenix.
Provide an about:config-style setting
about:config
is a poor fit for controlling features on Fenix because of the hard separation. Making it optional is risky it becomes a one click button to allow Theft of arbitrary files from local system
which is a sec-high rated problem. The path forward here is to gather the needed info and implement necessary security changes.
Comment 4•11 months ago
|
||
How does Chrome / Chromium / the Android native browser (whatever it should be called) handle this issue? Do they also disallow file:///
URLs?
This whole situation is incredibly silly: if I understand correctly, Android's security model is so complex, so badly designed or so broken that somehow “opening a local file” has become a security issue (which it emphatically is not on a PC, so the non-Android Firefox can open file:///
URLs fine), apparently there isn't even an easy fix of allowing opening files in /sdcard
or so, and because of this Firefox must prevent users from even opening the files which they themselves downloaded a minute ago. So Firefox can't function as an image viewer or as a PDF viewer (bug #1815739), for which it would otherwise be great, because… opening local files is dangerous‽ This is beyond absurd, especially as PDF viewers for Android are ripe with security issues and using Firefox's pdfjs would probably be a great improvement for everyone. And as the issue is very complex, this bug will never be fixed. But in the mean time, Chrome works fine, and nobody knows why. Am I correctly summarizing the situation, or is there something I missed?
Comment 5•8 months ago
|
||
How can one access local files on Android without this bug getting fixed? I type in the file:// URL, and it turns into a search with no good matches. That is a stupid response. I didn't want a search, I wanted the local file. I want it local so it will work when I have no available WiFi or cell service.
Comment 6•8 months ago
|
||
And no, using a local file server is too cumbersone to be considered a solution, because it keeps getting killed in the background.
Comment 7•6 months ago
|
||
The CVE itself looks much non-sense:
Malicious app on system may steal certain files from Firefox.
Actually such app would potentially steal arbitrary files without even involving Firefox... Same for all practical systems.
Thoughtless operation is incurable security-wise.
Comment 8•5 months ago
|
||
Now that SingleFile is officially supported on Firefox for Android [1], a fix for this bug would be appreciated. Today, users can save web pages in HTML format but needs another browser to open it, which is unfortunate.
[1] https://addons.mozilla.org/en-US/android/addon/single-file/
Comment 9•5 months ago
|
||
More on the main topic:
https://github.com/MasterInQuestion/talk/discussions/8
As workaround: setting up a HTTP server can be amazingly easy...
See: https://bugzilla.mozilla.org/show_bug.cgi?id=1839806#c13
.
Though I haven't carefully verified the security implication.
(whether remote sites could access the "127.0.0.1" URI etc.)
I believe the issue should have been discussed before.
And typically only trusted sources ("file://", "localhost" alike) could access them by default:
With potentially browser flags to allow less secure config.
Comment 10•4 months ago
|
||
Well... It's not, surprisingly.
Thoughtlessly doing so may allow remote sites gaining read access to arbitrary files user accessible.
And currently there exists no config for intervention.
See also: https://bugzilla.mozilla.org/show_bug.cgi?id=1872502
Description
•