On Tue, 18 Aug 2009 20:14:00 -0400, Adam Barth <w...@adambarth.com> wrote:
On Tue, Aug 18, 2009 at 3:38 PM, Michael A. Puls
II<shadow2...@gmail.com> wrote:
On Tue, 18 Aug 2009 18:10:41 -0400, Adam Barth <w...@adambarth.com>
wrote:
Mozilla does indeed separate by directory in an
interesting way.
Is the exact way documented that you know of?
There's is some description on the Mozilla developers wiki, but the
implementation didn't match that description last time I investigated
this topic.
Thanks. Here's what I see:
Page: file:///c:/documents%20and%20settings/user/desktop/test.html
File to fetch with "GET" and XHR - result
Opera
file:///d:/test.txt - allowed
file:///c:/test.txt - allowed
file:///c:/documents%20and%20settings/user/test.txt - allowed
test.txt - allowed
dir/test.txt - allowed
../test.txt - allowed
http://www.google.com/webhp - Security violation exception
file_that_does_not_exist.txt - No exception thrown, but responseText is
empty
Safari
file:///d:/test.txt - allowed
file:///c:/test.txt - allowed
file:///c:/documents%20and%20settings/user/test.txt - allowed
test.txt - allowed
dir/test.txt - allowed
../test.txt - allowed
http://www.google.com/webhp - allowed
file_that_does_not_exist.txt - No exception thrown, but responseText is
empty
Firefox:
file:///d:/test.txt - "Access to restricted URI denied" exception
file:///c:/test.txt - "Access to restricted URI denied" exception
file:///c:/documents%20and%20settings/user/test.txt - "Access to
restricted URI denied" exception
test.txt - allowed
dir/test.txt - allowed
../test.txt - "Access to restricted URI denied" exception
http://www.google.com/webhp - No exception thrown, but responseText is
empty
file_that_does_not_exist.txt - "Access to restricted URI denied" exception
Things that could be improved:
1. For Firefox and file_that_does_not_exist.txt, "Access to restricted URI
denied" isn't the best message. Something like "file not found" would be
way better.
2. For Firefox, http://www.google.com/webhp should throw an exception
instead of just making responseText "".
3. For Safari, http://www.google.com/webhp should throw an exception.
4. For Opera and Safari, file_that_does_not_exist.txt, should throw an
exception instead of responseTxt just being "".
5. For Opera and Safari, file:///d:/test.txt, file:///c:/test.txt,
file:///c:/documents%20and%20settings/user/test.txt and ../test.txt should
all throw an exception like Firefox does.
Firefox only allowing access to files in
"file:///c:/documents%20and%20settings/user/desktop/" and its
subdirectories seems great.
If you have access to dev and try to load a path to a current device,
what
happens in browsers currently?
I recommend the experimental method. :)
Gotcha.
--
Michael
