Re: Re (4): Capability of Iceweasel to open a local file.

To: debian-user@lists.debian.org
Subject: Re: Re (4): Capability of Iceweasel to open a local file.
From: Axel Freyn <axel-freyn@gmx.de>
Date: Tue, 7 Jun 2011 10:40:22 +0200
Message-id: <[🔎] 20110607084022.GJ19127@axel>
Mail-followup-to: debian-user@lists.debian.org
In-reply-to: <[🔎] 171057030.54062.45380@heaviside.invalid>
References: <[🔎] pan.2011.06.06.19.34.24@gmail.com> <[🔎] 171057030.54062.45380@heaviside.invalid>

On Mon, Jun 06, 2011 at 01:12:46PM -0800, peasthope@shaw.ca wrote:
> From:	Camaleon <noelamac@gmail.com>
> Date:	Mon, 06 Jun 2011 19:34:24 +0000 (UTC)
> > Can you give a concrete example of your goal? 
> 
> In your home directory, make a file named Category2.html containing any 
> valid html text.  The example you gave in your earlier reply will be fine.
> 
> Open "http://members.shaw.ca/peasthope/#Links"; and you will see three links 
> containing "file:*Category2".  Probably the third non-blank line.
> Can you open the second link, file:///~/Category2.html ?  It won't open here.
> But it works if copied to the clipboard and pasted into the URI window.
> Copying and pasting should not be necessary.  It should open with a mouse 
> click!
> 
> > That is, what piece of code is working on that Native Oberon but fails 
> > inside Iceweasel?
> 
> The link file:Category2.html works for NO.  With NO not having a 
> hierarchical file system it can not open file:///~/Category2.html but 
> opens file:Category2.html, no problem.  Analogously, file:///~/Category2.html 
> should work for Iceweasel. 
> 
> OK; I'm more convinced there's a fault in Iceweasel!

As Camaleon already said: it's a security question. In general, you do
not want that a remote website can access your local files. However, you
can make Iceweasel work:
 - open "about:config" in Iceweasel
 - accept that you know what you're doing (and that you will be carefull)
 - search for "security.checkloaduri" and set it to "false"
   (on newer iceweasel's, that's called
   "security.fileuri.strict_origin_policy"
Now, Iceweasel should accept your link. (I have no webserver at hand, so
I haven't tested...)
see http://kb.mozillazine.org/Links_to_local_pages_don't_work

But: The serious security flaw which I see here is the following: This
allows all remote site which you're looking at to use "file:///" in
order to acces your local files. That's true also for javascript. So, as
soon as you set "security.checkloaduri=true", a website you're visiting
could copy all files from your local disk which you're allowed to read
(so /etc/shadow would be inaccessible (except you run iceweasel as root
:-)), but all files in /home/user kann be copied).

Do you know how that problem is solved in Native Oberon?

Axel

Reply to:

Follow-Ups:
- Re (5): Capability of Iceweasel to open a local file.
  - From: peasthope@shaw.ca

References:
- Re: Re (3): Capability of Iceweasel to open a local file.
  - From: Camaleón <noelamac@gmail.com>
- Re (4): Capability of Iceweasel to open a local file.
  - From: peasthope@shaw.ca

Prev by Date: Re: is this hard disk failure?
Next by Date: Re: Re (4): Capability of Iceweasel to open a local file.
Previous by thread: Re: [OT] Native Oberon
Next by thread: Re (5): Capability of Iceweasel to open a local file.
Index(es):
- Date
- Thread