MozillaZine

[JS - Security] WebSite can't access local script...

User Help for Mozilla Firefox
LeCastor2001
Guest
 

Post Posted November 25th, 2003, 4:14 am

Hi,

I have a website which must access a javascript located on my computer. The script tag look like this :

<script type="text/javascript" src="file:///localScript.js"></Script>

Unfortunately, the script doesnt load, and there's a message in the javaScript console saying :
"Security Error: Content at http://www.website.com" may not load or link to "file:///localScript.js"

What must I do to make this possible ? I've searched this forum, but I couldn't find a answer...

Thanks a lot !

Dunderklumpen
 
Posts: 16224
Joined: March 9th, 2003, 8:12 am

Post Posted November 25th, 2003, 4:32 am

To begin with - you can not use file://.

LeCastor2001
Guest
 

Post Posted November 25th, 2003, 4:53 am

Of course you can put a file:// in the src attribute... I don't know why you can't...

Dunderklumpen
 
Posts: 16224
Joined: March 9th, 2003, 8:12 am

Post Posted November 25th, 2003, 7:01 am

Security reasons - that´s why.

LeCastor2001
Guest
 

Post Posted November 25th, 2003, 8:40 am

According to the W3C html4 recommendation, the src attribute should contain an URI. According to RFC 1630, which defines the URI concept, file:// is a valid scheme. So I don't know it shouldn't work, even for security reasons. And even if there are security reasons, it should be disabled by the user.

The website is not mine, so i can't modify the html source. So to access the site, i have to use IE... Pretty annoying... And I search in the about:config page, but I haven't seen anything which could disable this...

alanjstr
Moderator

User avatar
 
Posts: 9100
Joined: November 5th, 2002, 4:43 pm
Location: Anywhere but here

Post Posted November 25th, 2003, 11:30 am

What is the path to the javascript file? file:///file.js is not a valid path unless you are using Linux and it is in your root directory. Remote web pages cannot access local javascript, either.

If it is a local html file and local js file, then src="file.js" would work.
Former UMO Admin, Former MozillaZine General Mod
I am rarely on mozillaZine, so please do not send me a private message.
My Old Firefox config files

LeCastor2001
Guest
 

Post Posted November 25th, 2003, 11:51 am

The src attribute looks like this : file:///C:/scripts/script.js . So it should be valid. The html file is remote, and has to access a local file. This is causing problems.

And consider that I can't change this, because it is not my website. All I can do right now is using IE, because it works. FireBird doesn't want to load the script file because of security issues...

alanjstr
Moderator

User avatar
 
Posts: 9100
Joined: November 5th, 2002, 4:43 pm
Location: Anywhere but here

Post Posted November 25th, 2003, 4:25 pm

LeCastor2001 wrote:The src attribute looks like this : file:///C:/scripts/script.js . So it should be valid. The html file is remote, and has to access a local file. This is causing problems.


Yes, that would be a huge security hole. It sounds like someone coded a website wrong. Email the webmaster.
Former UMO Admin, Former MozillaZine General Mod
I am rarely on mozillaZine, so please do not send me a private message.
My Old Firefox config files

Dunderklumpen
 
Posts: 16224
Joined: March 9th, 2003, 8:12 am

Post Posted November 26th, 2003, 2:34 am

alanjstr wrote:
LeCastor2001 wrote:The src attribute looks like this : file:///C:/scripts/script.js . So it should be valid. The html file is remote, and has to access a local file. This is causing problems.


Yes, that would be a huge security hole. It sounds like someone coded a website wrong. Email the webmaster.


My point exactly.

LeCastor2001
Guest
 

Post Posted November 26th, 2003, 11:42 am

alanjstr wrote:Yes, that would be a huge security hole. It sounds like someone coded a website wrong. Email the webmaster.


Let me explain a little more in depth the situation. This website contains loads of images. In order to fasten the loading time, there is an options to download a zip containing all the images. So after decompressing the zip file, and activating the option, all images are loaded from a local folder.

But I noticed that all the javascripts used in the website are also in the zip file. So if I want to load the images locally, I have to load the javascripts locally too.

Then you'll say "yeah, but you got a DSL connexion, so loading some images doesn't take too long". The fact is that I had to change those javascripts to make them more FireBird-compatible (some little things weren't working). So I really need to load them locally.

So I have 2 choices : on one hand, use IE (crap), on the other hand change the security applied to scripts.

I think I should be able to load scripts locally for this site only (like every security options, you know, allow specific websites to do fordidden things).

alanjstr
Moderator

User avatar
 
Posts: 9100
Joined: November 5th, 2002, 4:43 pm
Location: Anywhere but here

Post Posted November 26th, 2003, 12:54 pm

Its a security hole. I highly doubt it will happen. The only way you can execute the scripts locally is if you open the html locally.
Former UMO Admin, Former MozillaZine General Mod
I am rarely on mozillaZine, so please do not send me a private message.
My Old Firefox config files

LeCastor2001
Guest
 

Post Posted November 26th, 2003, 4:18 pm

It may be a security hole, of course...

But one thing you may have missed, is that it's the only website on earth which need a local access to scripts file.

What I want is this : by default, nothing can have an access to my local file except this website.

What is the problem if I allow this website to access some files locally ? -> nothing, I believe. This is a highly trusted website, so there's no reason it can't open a poor small local file.

LeCastor2001
Guest
 

Post Posted November 27th, 2003, 3:47 am

Allright folks ! I found out how to do it :

just go in the about:config page, add a new boolean, named "security.checkloaduri", and set it to false.

shadytrees
Moderator

User avatar
 
Posts: 11743
Joined: November 30th, 2002, 6:41 am

Post Posted November 27th, 2003, 6:21 am

So it's an optional security hole. Interesting. =)

LeCastor2001
Guest
 

Post Posted November 27th, 2003, 7:41 am

After thinking for a while about it, I can't figure why it is a security hole...

The website is just telling my browser to open a local script file, and launch serveral functions inside it. Nothing is returned to the server, what the script is doing is just opening some popup windows. No harm can be done to my computer, I know exactly what is in the script file (I rewritted everything)....

Return to Firefox Support


Who is online

Users browsing this forum: Google [Bot] and 11 guests