15

Firefox 68 fixes a security problem with local files (https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11730), but in so doing breaks testing code locally. Is there a way to override this as can be done with Chrome and Opera (e.g., --allow-file-access-from-files)?

I cannot find anything relevant on the Firefox site, and cannot find a suitable command-line option or anything in about:config.

try {
    main = opener.document;
    }
    catch (e) {
    console.log(e);
    console.log(e.name);
    }
}

I get the following messages in the console:

DOMException: "Permission denied to access property "document" on cross-origin object"
SecurityError
JeffC
  • 153
  • 1
  • 1
  • 5

2 Answers2

21

[2023 Update]: This pref has been removed since this answer was posted. See user3611642's answer for an up to date solution].

Letting the original answer if someone comes back to using FF68 and faces this issue.

You can leverage this restriction by going to about:config url and then uncheck privacy.file_unique_origin boolean value.

However be aware that this only reverts to < 68 protection mode, which is to only allow digging in, even with this flag down you won't be able to fetch ../some_other_dir/foo.bar.

Kaiido
  • 123,334
  • 13
  • 219
  • 285
9

In my case: Firefox ver. 98.0.2 (64-bit) going to about:config and changing the flag helped: security.fileuri.strict_origin_policy = false

user3611642
  • 261
  • 3
  • 5
  • 1
    Thank you! I was going crazy over `privacy.file_unique_origin` not working anymore! Also note that restart is not required and this is the only setting you need to switch as of today, `privacy.file_unique_origin` is not needed/supported anymore. – Tomáš Hübelbauer Jan 06 '23 at 21:09