Tightened Local File Security

There’s been an interesting security adjustment in Firefox 3 that’ll have some, potential, ramifications in some (file://-hosted) web pages. Specifically how local files are referenced and accessed, in parent directories, has changed.

For example, previously you could create an HTML page and have it request a file in a parent directory, like so:

<title>Local File</title>
var xhr = new XMLHttpRequest();
xhr.open("GET", "../some/file.txt", true);
// ... handle the response ...

However that is no longer possible (just to emphasize: This is no longer possible only on locally downloaded web pages, running in file://…) as an HTML page can no longer access files in parent directories. This includes both ../ relative URLs and file://… absolute URLs.

There’s a detailed discussion in the bug ticket concerning this change. Primarily it boils down to the fact that:

Users frequently download HTML pages for a variety of reasons, HTML pages have full access to the hard drive and the ability to do cross-domain communication, this combination leads to an unsuspecting mess where malicious pages can actively try to steal user information.

This change is two-fold: It’s possibly frustrating (there’s bound to be some HTML page somewhere that uses XMLHttpRequest to local in local information, located above the current directory) and unavoidable (having this security concern left in place would lead to undesired situations, if they haven’t already).

Generally speaking I don’t think this change will affect many people – but it’s just something that you should be aware of, when planning your sites for Firefox 3.

UPDATE: In the original post I interpreted the Bugzilla bug as being that ALL attempts to access parent-directory files were blocked when, in fact, only items bound by the same-origin policy are (like XMLHttpRequest). This should affect significantly few pages but it’s good to be aware of.

Posted: May 20th, 2008

Subscribe for email updates

23 Comments (Show Comments)

Comments are closed.
Comments are automatically turned off two weeks after the original post. If you have a question concerning the content of this post, please feel free to contact me.

Secrets of the JavaScript Ninja

Secrets of the JS Ninja

Secret techniques of top JavaScript programmers. Published by Manning.

John Resig Twitter Updates

@jeresig / Mastodon

Infrequent, short, updates and links.