Revision 18296 of Same-origin policy for file: URIs

  • Revision slug: Same-origin_policy_for_file:_URIs
  • Revision title: Same-origin policy for file: URIs
  • Revision id: 18296
  • Created:
  • Creator: Sheppy
  • Is current revision? No
  • Comment 2 words added, 1 words removed

Revision Content

In Gecko 1.8 or earlier, any two file: URIs are considered to be same-origin.  In other words, any HTML file on your local disk can read any other file on your local disk.

Starting in Gecko 1.9, files are only allowed to read certain other files.  Specifically, a file can only read another file if the parent directory of the target file is an ancestor directory of the originating file. Directories cannot be loaded this way, however.

For example, if you have a file foo.html which accesses another file, bar.html, the load will only succeed if bar.html is either in the same directory as foo.html or in a directory contained within the same directory as foo.html.

This policy affects anything that does same-origin checks, including XMLHttpRequest, XSLT, and XBL.

For cross-window DOM access, each file is treated as a separate origin, with one exception: if a file is loaded from another file that would otherwise be able to load it following this same-origin policy, they are considered to have the same origin.  This load can occur through a subframe, link, location set, call to window.open(), or the like.

For example, if the file /home/user/foo.html is a frameset and one of the frames is /home/user/subdir/bar.html, the frame and frameset are considered to share the same origin.  On the other hand, if the file /home/user/subdir/foo.html is a frameset and the frame is /home/user/bar.html, the frame and frameset are considered to have different origins.

The new security.fileuri.strict_origin_policy preference, which defaults to true, can be set to false if the user doesn't want to strictly enforce the same origin policy on file: URIs.

Revision Source

<p>In Gecko 1.8 or earlier, any two <code>file:</code> URIs are considered to be same-origin.  In other words, any HTML file on your local disk can read any other file on your local disk.</p>
<p>Starting in Gecko 1.9, files are only allowed to read certain other files.  Specifically, a file can only read another file if the parent directory of the target file is an ancestor directory of the originating file. Directories cannot be loaded this way, however.</p>
<p>For example, if you have a file <code>foo.html</code> which accesses another file, <code>bar.html</code>, the load will only succeed if <code>bar.html</code> is either in the same directory as <code>foo.html</code> or in a directory contained within the same directory as <code>foo.html</code>.</p>
<p>This policy affects anything that does same-origin checks, including <a class="internal" href="/en/XMLHttpRequest" title="En/XMLHttpRequest"><code>XMLHttpRequest</code></a>, XSLT, and XBL.</p>
<p>For cross-window DOM access, each file is treated as a separate origin, with one exception: if a file is loaded from another file that would otherwise be able to load it following this same-origin policy, they are considered to have the same origin.  This load can occur through a subframe, link, location set, call to <a class="internal" href="/En/DOM/Window.open" title="En/DOM/Window.open"><code>window.open()</code></a>, or the like.</p>
<p>For example, if the file <code>/home/user/foo.html</code> is a frameset and one of the frames is <code>/home/user/subdir/bar.html</code>, the frame and frameset are considered to share the same origin.  On the other hand, if the file <code>/home/user/subdir/foo.html</code> is a frameset and the frame is <code>/home/user/bar.html</code>, the frame and frameset are considered to have different origins.</p>
<p>The new <code>security.fileuri.strict_origin_policy</code> preference, which defaults to <code>true</code>, can be set to <code>false</code> if the user doesn't want to strictly enforce the same origin policy on <code>file:</code> URIs.</p>
Revert to this revision