312229 - Security settings do not allow for localhost pages to use file:// protocol

Status: RESOLVED DUPLICATE of bug 233108

(Firefox :: Security, enhancement)

Description

[Kevin James]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7

I use webhhtrack to mirror pages and information from the web. It's server runs
on the local machine and stores everythign on the local machine, but does not
"serve" the mirrored pages. For example, I access the server at localhost:8080
and can mirror pages using this interface. But when I use it to view my mirrored
pages, it attempts to change the location [via "window.open()"] to
"file://f:/ebooks" --- this is where I mirror everything. After checking the
javascript console, I find a security error. I eventually found the setting to
control it, but switching that would open up a security vulnerability (Internet
pages loading files from the local system). So instead of always blocking, a
setting be created to allow/disallow localhost to access the file protocol and
another to force a prompt.

Reproducible: Always

Steps to Reproduce:
1.start a small webserver on the host system.
2.create a local web pages using it that contains a link to a file on the
system. The link should be absolute and use the "file://" protocol
3.access the page using browser (ex. "localhost//testpage.html")
4.click on the link

Actual Results:  
The browser will not show the page, nor will it show an error.

Expected Results:  
It should have shown the page, but I understand the potential security issue here.
Maybe, policy settings could be implemented?

Comment 1

[Jesse Ruderman]

Already fixed for Firefox 1.5, I think in bug 233108.  See also bug 307382.

*** This bug has been marked as a duplicate of 233108 ***

Comment 2

[Jesse Ruderman]

http://kb.mozillazine.org/Links_to_local_pages_don%27t_work has instructions for
using the new prefs.