Closed Bug 477201 Opened 14 years ago Closed 14 years ago

"Error: Permission denied to get property Window.document" using local file:///SomeFile.html and


(Firefox :: Security, defect)

Not set





(Reporter: trindflo, Unassigned)




(1 file)

User-Agent:       Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv: Gecko/2008121622 Ubuntu/8.04 (hardy) Firefox/3.0.5
Build Identifier: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv: Gecko/2008121622 Ubuntu/8.04 (hardy) Firefox/3.0.5

if document.domain is the empty string, window.document will fail for windows created using  This is not an issue if the file is read through a local server (i.e.  It is only an issue when the html is read as a file (i.e. file:///...).

This occurs on windows and linux machines.

Tested in Firefox 3.0.6 (

Reproducible: Always

Steps to Reproduce:
1. Place rcjs-fails.html file on local disk
2. Load rcjs-fails.html file with File->Open
3. Click on link

Actual Results:  
Error Console displays:
Error: Permission denied to get property Window.document
Source File: file:///home/XXX/XXX/rcjs-fails.html
Line: 15

Javascript function fails

Expected Results:  
new windows should close.  Original window should display links found.
Blocks: 397828
Er...  Isn't the issue that you're trying to read a directory that's an ancestor of the file in question?  That's not allowed by security policy in Firefox 3, and doesn't seem to be related to bug 397828 to me.
And in particular, if I back out bug 397828 then the script can get the document fine but throws on trying to get document.links, as expected:

JavaScript error: file:///Users/bzbarsky/test/test.html, line 15: Permission denied for <file://> to get property HTMLDocument.links from <file://>.

See also bug 230606.
Blocks: 230606
No longer blocks: 397828
Closed: 14 years ago
Resolution: --- → INVALID
Thank you for your time, and for the link.  I was attempting to do something which is forbidden with very good cause by default in Firefox 3, and only after a lot of discussion.

My desire was to enumerate images for display without hard-coding the names of each file in html, and this same mechanism could be used to access other information on the hard drive (the Firefox security policies for instance).  The mechanism can still be useful, just not for files on the local hard drive.

Bypassing this security feature through security.fileuri.strict_origin_policy for local html testing works, and it is understandably not recommended.
You need to log in before you can comment on or make changes to this bug.