Comment #17 on issue 20450 by scarybeasts: Chromium shouldn't allow XHR to local directories http://code.google.com/p/chromium/issues/detail?id=20450
This is a pain. Safari sidesteps this issue by not having _any_ support for loading directory listings, as far as I can tell. Even a direct navigation to file://c:/ (Safari on Windows) gives permission denied. On Chrome, we could deny directory listings in the browser for resource SUB_RESOURCE (e.g. XHR) and SUB_FRAME (e.g. iframe). Unfortunately, this would leave a hole with MAIN_FRAME where the attacker does window.open(). I think the right thing to do might be to only permit directory listings for MAIN_FRAME, along with a change to deny DOM access between two documents in the "file" domain. (This latter tweak would seem to match Firefox; I need to confirm). Adam -- to help me unravel the WebKit part of this, could you help with with the difference between SecurityOrigin::canRequest, ::canLoad and ::canAccess? -- You received this message because you are listed in the owner or CC fields of this issue, or because you starred this issue. You may adjust your issue notification preferences at: http://code.google.com/hosting/settings --~--~---------~--~----~------------~-------~--~----~ Automated mail from issue updates at http://crbug.com/ Subscription options: http://groups.google.com/group/chromium-bugs -~----------~----~----~----~------~----~------~--~---
