Same-origin policy for file: URIs
In Gecko 1.8 or earlier, any two
file: URIs are considered to be same-origin. In other words, any HTML file on your local disk can read any other file on your local disk.
Starting in Gecko 1.9, files are allowed to read only certain other files. Specifically, a file can read another file only if the parent directory of the originating file is an ancestor directory of the target file. Directories cannot be loaded this way, however.
For example, if you have a file
foo.html which accesses another file
bar.html and you have navigated to it from the file
index.html, the load will succeed only if
bar.html is either in the same directory as
index.html or in a directory contained within the same directory as
This policy affects anything that does same-origin checks, including
XMLHttpRequest, XSLT, and XBL.
For cross-window DOM access, each file is treated as a separate origin, with one exception: if a file is loaded from another file that would otherwise be able to load it following this same-origin policy, they are considered to have the same origin. This load can occur through a subframe, link, location set, call to
window.open(), or the like.
For example, if the file
/home/user/foo.html is a frameset and one of the frames is
/home/user/subdir/bar.html, the frame and frameset are considered to share the same origin. On the other hand, if the file
/home/user/subdir/foo.html is a frameset and the frame is
/home/user/bar.html, the frame and frameset are considered to have different origins.
security.fileuri.strict_origin_policy preference, which defaults to
true, can be set to
false if the user doesn't want to strictly enforce the same origin policy on