CheckLoadURI exception for files about to be uploaded (let sites show preview of image referenced in <input type="file">)

VERIFIED FIXED

Status

()

--
enhancement
VERIFIED FIXED
13 years ago
8 years ago

People

(Reporter: christoph.cantillon, Assigned: dveditz)

Tracking

Trunk
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

13 years ago
User-Agent:       Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; nl-NL; rv:1.7.10) Gecko/20050717 Firefox/1.0.6
Build Identifier: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; nl-NL; rv:1.7.10) Gecko/20050717 Firefox/1.0.6

For a web application I need to reference to a local image from a web page,
using javascript. The local image is chosen by the user through a <input
type="file"> thing, and should be previewed in an <img>. FireFox actively blocks
setting an image's src attribute to the URL obtained from the file selector.
This is, in my opinion, a case where FireFox's security is just too tight.

Reproducible: Always

Steps to Reproduce:
A: remote
1. go to the URL defined above
2. select an image file one of the two file selectors

B: local
1. save the html file to your hard disk
2. open the html file from your hard disk
3. select an image file one of the two file selectors

Actual Results:  
in case A nothing happens, in case B the image is correctly previewed

Expected Results:  
case A should behave exactly like case B
FireFox should at least allow access to a file that is explicitly selected by
the user.
go to about:config
type security.checkloaduri and set it to false 
to allow local images loaded from remote sites
or is this a dupe of Bug 176502 ?
(Reporter)

Comment 3

13 years ago
I can't expect every user of the site to change their configs, nor can I call enabling this by default a 
security hole since it would still require explicit user interaction to enable access to the file, which the site 
will eventually have access to anyway since it's about to be submitted to the server.

Comment 4

13 years ago
I'm pretty sure this is a dup, but I can't find the other bug.
Assignee: nobody → dveditz
Severity: normal → enhancement
Component: Security → Security
Product: Firefox → Core
QA Contact: firefox → toolkit
Summary: security too tight when referencing to user-selected files → CheckLoadURI exception for files about to be uploaded (let sites show preview of image referenced in <input type="file">)
Version: unspecified → Trunk
Resolving unconfirmed bugs older than a year with no activity as INCOMPLETE.  Please reopen or file a new bug if you can still reproduce the bug.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → INCOMPLETE
This is actually doable nowadays with the proposed standard documented at https://developer.mozilla.org/en/DOM/FileReader
Resolution: INCOMPLETE → FIXED
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.