6

Perhaps my searching(Google-Fu) has deserted me, but I can't find a good description of the same-origin policy for file URIs other than this outdated Mozilla page. Can anyone point me to an explanation of the same-origin policy for file URIs? In particular, if I have a script loaded from (say) file:///C:/Users/Joe/Test/test.html, what files is that script allowed to access using XMLHttpRequest? And how should I specify the URI, i.e., as relative to the script's URI?

Note that I'm not asking for a way to get around cross-origin restrictions, just an understanding of where I need resources to reside so that I can load them without triggering a cross-origin error.

ozkanpakdil
  • 3,199
  • 31
  • 48
Dr. Pain
  • 689
  • 1
  • 7
  • 16
  • You want to look into [CORS](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS). – StackSlave Jan 18 '18 at 02:54
  • 2
    `file:///` uri's work differently with respect to "same origin policy" in different browsers - chrome has a command line flag to make them "same origin" (as they are in Firefox at least) - other browsers aren't worth talking about :p – Jaromanda X Jan 18 '18 at 02:56
  • 2
    @JaromandaX +1 to your comment, but the irony is that the *other browsers aren't worth talking about*, specifically IE and Edge, happen to be the easiest to use for such a development scenario. They both work smoothly with `file:///` and CORS combination without any need for command line flags or any other steps. – Racil Hilan Jan 18 '18 at 03:02
  • That's why they aren't worth talking about @RacilHilan - because they work :p – Jaromanda X Jan 18 '18 at 03:17
  • In response to the suggestion to look at CORS: That doesn't seem to apply to file URIs. Am I wrong about that? – Dr. Pain Jan 18 '18 at 03:59
  • @JaromandaX -- I'm most interested in the Chrome case (since at the moment Chrome is the only browser that can run my application in a reasonable time). Does Chrome consider all file URIs to be cross-origin unless the --disable-web-security flag has been set? – Dr. Pain Jan 18 '18 at 04:03
  • 1
    I think there's a less dangerous flag, `--allow-file-access-from-files` – Jaromanda X Jan 18 '18 at 04:13

1 Answers1

6

The same-origin policy for file:/// URIs is implementation-dependent.

The W3C's CORS spec gets its definition of an "origin" from IETF RFC 6454 "The Web Origin Concept". In section 4 "Origin of a URI" it reads:

  1. If uri-scheme is "file", the implementation MAY return an implementation-defined value.

NOTE: Historically, user agents have granted content from the file scheme a tremendous amount of privilege. However, granting all local files such wide privileges can lead to privilege escalation attacks. Some user agents have had success granting local files directory-based privileges, but this approach has not been widely adopted. Other user agents use globally unique identifiers for each file URI, which is the most secure option.

Looking up the behavior (and the reasoning behind it) for specific browsers is not easy. I actually think the old Mozilla wiki page you referenced is one of the better resources on this topic. Here's a fairly helpful discussion; general guidance is to assume the browser may treat all file:/// URIs as totally unique origins.

Community
  • 1
  • 1
Brad Buchanan
  • 1,475
  • 1
  • 15
  • 22
  • 1
    This answer is correct but it should be noted that the https://www.w3.org/TR/cors/ spec (published in 2014) is now obsolete. (In general, most specs published in the https://www.w3.org/TR tree are obsolete…) The current requirements for determining the origin of a `file:`-protocol URL are in the URL standard at https://url.spec.whatwg.org/#origin: *“Unfortunate as it is, this is left as an exercise to the reader. When in doubt, return a new opaque origin.”* — in other words, it’s implementation-dependent (as this answer says). – sideshowbarker Dec 02 '19 at 00:18
  • 1
    See also https://groups.google.com/a/chromium.org/forum/#!topic/blink-dev/0w5mxLMkrNM – sideshowbarker Dec 02 '19 at 00:20