-1

If I have an html page I'm loading at the path file://some/path/whatever.html, can javascript in that file download whatever.html and examine it? I know the same origin policy disallows access to other files, but I'm not clear on whether it also bars access to the current file when using the file:// protocol.

In short: does the same origin policy disallow any access to file:// protocol paths?

I looked at mdn's documentation on this, but it doesn't make it clear.

B T
  • 57,525
  • 34
  • 189
  • 207
  • 3
    What happened when you tried this? – admdrew Jul 07 '14 at 20:12
  • see this question http://stackoverflow.com/questions/18586921/how-to-launch-html-using-chrome-at-allow-file-access-from-files-mode Starting chrome with allow file access from files will allow you to make ajax request to local files – Geoff448 Jul 07 '14 at 20:15
  • @admdrew When I tried it I got a readyState 4 and status code 0. However, it does not generate the 'Script error.' `window.onerror` call I'm using to seeing with failing cross-domain ajax calls. – B T Jul 07 '14 at 20:17
  • use sync ajax for local files: no latency anyway... – dandavis Jul 07 '14 at 20:18
  • @Geoff448 I'm not actually trying to allow this to happen. My goal is actually to detect cross-domain policy violations before they're executed with ajax so i can avoid those annoying and mostly useless window.onerror calls. – B T Jul 07 '14 at 20:19

1 Answers1

1

It depends on the browser.

I've been able to do this in Firefox (using AJAX with jQuery, there might be an easier way), but not in Chrome, which doesn't allow access to local files to JavaScript.

EDIT: just learned that you can launch Chrome with the --allow-file-access-from-files parameter, which should enable this behavior.

kraxor
  • 649
  • 8
  • 16
  • i was able to ajax(location.href) in chrome from a desktop file just now (without any param)... – dandavis Jul 07 '14 at 20:17
  • @dandavis that's odd, it didn't work for me a few days ago. Maybe I did something else wrong or differently. I'll check my script. – kraxor Jul 07 '14 at 20:21
  • I'm not actually looking to enable this behavior, just want to understand the same origin policy more precisely. I just tried in latest version of firefox tho, and it doesn't seem to allow access either. Would have surprised me if it did. – B T Jul 07 '14 at 20:28