Lecture
In Gecko 1.8 or earlier, any two file: URIs are considered the same. In other words, any HTML file on your local disk can read any other file on your local disk.
Starting with Gecko 1.9, files are allowed to read only some other files. In particular, a file can read another file only if the parent directory of the source file is the ancestor directory of the target file . However, directories cannot be uploaded this way.
For example, if you have a file, foo.html, which accesses another file, bar.html, and you navigate to it from the index.html file, the download will be successful only if bar.html is in the same directory as index.html and in the directory contained in the same directory as index.html.
This policy affects everything that checks for the same origin, including XMLHttpRequestXSLT and XBL.
To access the DOM with the cross window, each file is treated as a separate source, with one exception: if the file is loaded from another file, which otherwise could load it after this policy with the same source, they are considered to be the same origin. This load can occur through a subframe, a link, a location, a window.open () call, and so on.
For example, if the file /home/user/foo.html is a frameset and one of the frames, it is assumed /home/user/subdir/bar.html that the frame and the frameset have the same origin. On the other hand, if the file /home/user/subdir/foo.html is a frameset and a frame, it is considered /home/user/bar.html that the frame and the frameset have different origins.
You can install the new security.fileuri.strict_origin_policypreference, which is set to true by default, false if the user does not want to strictly apply the same origin policy in file: URI.
See also Domain Origin Restriction Rule
Comments
To leave a comment
Malicious, and information security
Terms: Malicious, and information security