Origin/Access-Control-Allow-Origin header does not allow remote domain access from local file:// resource




10 years ago
4 years ago


(Reporter: lists, Unassigned)


Firefox Tracking Flags

(Not tracked)




10 years ago
User-Agent:       Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv: Gecko/20090824 Firefox/3.5.3
Build Identifier: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv: Gecko/20090824 Firefox/3.5.3

Hi there,

I downloaded FF 3.5.3, then modified my development web server to send "Access-Control-Allow-Origin: ^" headers back to Firefox, which works fine as long as the index.html resource is "out there" on a web server (i.e. as long as the URL starts with "http://").

However, when I try to load the web site locally ("file://project/index.html"), the XHR requests sent by that local resource fail. Firefox does send an ORIGIN request to the web server, and it receives the Access-Control-Allow-Headers response, but it then simply stops, instead of continuing with the POST request.

Also, I noted that the Origin header field (server-side) is empty if the XHR request stems from a local resource ("Origin: null). Should that not be "file:/URL"?

Please let me know if this is a real bug, or if I am doing something wrong.

Many thanks,


Reproducible: Always

Steps to Reproduce:
1. Try making remote XHR requests from a local file resource/script.

Comment 1

6 years ago
I would argue that, even if we do consider this a bug, allowing XHR to arbitrary file:// targets would be horribly bad practice. Since the server is responsible for applying the Access-Cross-Allow-Origin header, and any CSP, it would allow a malicious site to steal any file it likes from your machine, assuming the browser has the privilege to read it.

My advice would be to set up a local HTTP server (or LAMP stack bundle) to test your local projects in, if you require any form of XmlHttpRequest support.
You need to log in before you can comment on or make changes to this bug.