10

I was using a Chrome shortcut with allow-file-access-from-files in the target to work on my three.js student project files. But sometime this morning this stopped working and it appeared Chrome had been updated. I redid the shortcut but no joy.

Part of the project I'm doing is building three.js animation that works in a common browser (for which I chose Chrome).

Is there any way to get Chrome to allow file access again?

Thanks.

WestLangley
  • 102,557
  • 10
  • 276
  • 276
KayM
  • 318
  • 1
  • 2
  • 12
  • Did you make sure Chrome was fully closed before launching the command again? – mrdoob Jul 18 '14 at 14:27
  • @mrdoob Yes, I closed it and I've also tried rebooting. If I open a file using unaltered Chrome it will just not load anything that requires those permissions but it will load the page. If I use a shortcut with the allow-access I get the Chrome "AwhSnap something went wrong" page. I will remove Chrome and reinstall to see if that works. – KayM Jul 18 '14 at 17:06
  • @mrdoob I've reinstalled Chrome and now I don't get the "Aw Snap" when I use an altered shortcut I just get the same result as if I opened the file with unaltered Chrome. Chrome 36 was the update that just happened. Is there anyone else having this problem? I'm running Windows Vista. – KayM Jul 18 '14 at 17:38
  • @KayM Did you get any solution to turn allow-file-access-from-files ? – Dipen Dedania Jul 14 '17 at 14:00

3 Answers3

6

The answer I came up with was to use Firefox instead of Chrome changing the security policy as detailed in https://github.com/mrdoob/three.js/wiki/How-to-run-things-locally

Not a perfect answer but with a deadline looming it's the best workable answer for me right now as trying different variations of Chrome, trying Wamp and also Mongoose didn't work. If I had more time I would work out how to use Python or probably node.js as I've seen it mentioned a number of times as being the faster option.

What gman stated is true, using the Chrome flag (and changing Firefox's security policy) does create a big security risk. But only if you use that shortcut (and it's tabs etc.) for anything other than accessing your own local files. I've been scrupulous about not using it for the internet but don't use this method if you can't be strict with yourself.

Ideally I'd recommend beginning any project with node.js.

KayM
  • 318
  • 1
  • 2
  • 12
4

Gman's answer is good. If you're in windows environment, and use npm for package management the easiest is to install http-server globally:

npm install -g http-server

Then simply run http-server in any of your project directories:

Eg. d:\my_project> http-server

Starting up http-server, serving ./ Available on: http:169.254.116.232:8080 http:192.168.88.1:8080 http:192.168.0.7:8080 http:127.0.0.1:8080 Hit CTRL-C to stop the server

Easy, and no security risk of accidentally leaving your browser open vulnerable.

orszaczky
  • 13,301
  • 8
  • 47
  • 54
-4

DON'T USE THAT FLAG! You're opening yourself to having your online accounts being hacked and your local data stolen. Here are 2 proof of concept examples

Run a simple server.

It's super simple.

They won't take more than a couple of minutes to download and require no configuration

gman
  • 100,619
  • 31
  • 269
  • 393
  • 1
    @KayM Or create your server with WAMP (http://www.wampserver.com/en/). There are differences in the behavior between the local and server development, and you should go for the second. – Dragan Okanovic Jul 19 '14 at 10:39
  • @AbstractAlgorithm How do I use WAMP to see three.js/WebGL? I downloaded WAMP, checked the icon was green, put my work in the www folder and then navigated to it in Chrome using localhost/ or opened it in the www folder but neither of these work. I'm new to servers, what am I doing wrong? Thanks. – KayM Jul 22 '14 at 18:47
  • @KayM Navigating to localhost should be all there is, really. If it's not working, it's wamp-related issue. If the icon is green, then everything should be okay (nothings on the same port etc). Any console error or anything that might point out the problem? – Dragan Okanovic Jul 22 '14 at 21:46
  • There's no reason to use some giant heavy things like WAMP. Use node or devd or [this](http://stackoverflow.com/a/38724878/128511) – gman Aug 26 '16 at 17:52
  • If you don't mind, could you explain the security risk? – awakenDeepBlue Mar 01 '17 at 18:41
  • Sorry but these are not good examples. You cant use that flag anymore anyways it doesnt work – Mike Jun 23 '17 at 13:34
  • what flags are you talking about. There are no flags in this answer or in the comments for this answer – gman Jun 23 '17 at 17:21
  • 1
    The link you provide talks about a completely different flag. The `allow-file-access-from-files` flag doesn't have those security problems. – GetFree Oct 23 '17 at 03:17
  • It does have those security problems. Any library you run in that context can upload your local files to the net. i don't understand the resistance to running a server. It's not like installing apache. Simple servers exist (see above). They are simple to install (30-120 seconds) and simple to run. So why not just do the safe thing? It's also what most pro web devs do so. – gman Oct 23 '17 at 03:34
  • 2
    @gman, code running in a `file://` context is the same as any program running in your computer. That's not a security risk, it's just what code running locally is expected to be able to do. Online webpages, on the other hand, can't do anything unusual if you enable `allow-file-access-from-files`. it's completely safe to use. – GetFree Oct 26 '17 at 05:16
  • Did you even try the exploit PoCs I linked to. The second one works just fine with `--allow-file-access-from-files`. It is able to access the files and display them which means a library you included in your page could do the same. That same library could upload the contents to a server run by the person that wrote the library. Maybe you missed the part that you need to "pick Save as..." and run the file locally to see the exploit? So it is not totally safe to use. Please stop giving people irresponsible advice. – gman Jan 06 '19 at 02:21
  • Also, while we're at it the `fetch` API doesn't allow file access period even with `--allow-file-access-from-files` so using this flag won't help you run your code locally. You'll need a server. – gman Jan 06 '19 at 02:23