516927 - Origin/Access-Control-Allow-Origin header does not allow remote domain access from local file:// resource

Status: UNCONFIRMED

(Firefox :: Security, defect)

Description

[Holgilein]

User-Agent:       Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
Build Identifier: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3

Hi there,

I downloaded FF 3.5.3, then modified my development web server to send "Access-Control-Allow-Origin: ^" headers back to Firefox, which works fine as long as the index.html resource is "out there" on a web server (i.e. as long as the URL starts with "http://").

However, when I try to load the web site locally ("file://project/index.html"), the XHR requests sent by that local resource fail. Firefox does send an ORIGIN request to the web server, and it receives the Access-Control-Allow-Headers response, but it then simply stops, instead of continuing with the POST request.

Also, I noted that the Origin header field (server-side) is empty if the XHR request stems from a local resource ("Origin: null). Should that not be "file:/URL"?

Please let me know if this is a real bug, or if I am doing something wrong.

Many thanks,

Holger

Reproducible: Always

Steps to Reproduce:
1. Try making remote XHR requests from a local file resource/script.

Comment 1

[Graham Sutherland]

I would argue that, even if we do consider this a bug, allowing XHR to arbitrary file:// targets would be horribly bad practice. Since the server is responsible for applying the Access-Cross-Allow-Origin header, and any CSP, it would allow a malicious site to steal any file it likes from your machine, assuming the browser has the privilege to read it.

My advice would be to set up a local HTTP server (or LAMP stack bundle) to test your local projects in, if you require any form of XmlHttpRequest support.