Open Bug 516927 Opened 14 years ago Updated 5 months ago
Origin/Access-Control-Allow-Origin header does not allow remote domain access from local file:// resource
(Firefox :: Security, defect)
(Reporter: lists, Unassigned)
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:184.108.40.206) Gecko/20090824 Firefox/3.5.3 Build Identifier: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:220.127.116.11) Gecko/20090824 Firefox/3.5.3 Hi there, I downloaded FF 3.5.3, then modified my development web server to send "Access-Control-Allow-Origin: ^" headers back to Firefox, which works fine as long as the index.html resource is "out there" on a web server (i.e. as long as the URL starts with "http://"). However, when I try to load the web site locally ("file://project/index.html"), the XHR requests sent by that local resource fail. Firefox does send an ORIGIN request to the web server, and it receives the Access-Control-Allow-Headers response, but it then simply stops, instead of continuing with the POST request. Also, I noted that the Origin header field (server-side) is empty if the XHR request stems from a local resource ("Origin: null). Should that not be "file:/URL"? Please let me know if this is a real bug, or if I am doing something wrong. Many thanks, Holger Reproducible: Always Steps to Reproduce: 1. Try making remote XHR requests from a local file resource/script.
10 years ago
I would argue that, even if we do consider this a bug, allowing XHR to arbitrary file:// targets would be horribly bad practice. Since the server is responsible for applying the Access-Cross-Allow-Origin header, and any CSP, it would allow a malicious site to steal any file it likes from your machine, assuming the browser has the privilege to read it. My advice would be to set up a local HTTP server (or LAMP stack bundle) to test your local projects in, if you require any form of XmlHttpRequest support.
5 months ago
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.