[JS - Security] WebSite can't access local script...

User Help for Mozilla Firefox
Post Reply
LeCastor2001
Guest

[JS - Security] WebSite can't access local script...

Post by LeCastor2001 »

Hi,

I have a website which must access a javascript located on my computer. The script tag look like this :

<script type="text/javascript" src="file:///localScript.js"></Script>

Unfortunately, the script doesnt load, and there's a message in the javaScript console saying :
"Security Error: Content at http://www.website.com" may not load or link to "file:///localScript.js"

What must I do to make this possible ? I've searched this forum, but I couldn't find a answer...

Thanks a lot !
Dunderklumpen
Posts: 16224
Joined: March 9th, 2003, 8:12 am

Post by Dunderklumpen »

To begin with - you can not use file://.
LeCastor2001
Guest

Post by LeCastor2001 »

Of course you can put a file:// in the src attribute... I don't know why you can't...
Dunderklumpen
Posts: 16224
Joined: March 9th, 2003, 8:12 am

Post by Dunderklumpen »

Security reasons - that´s why.
LeCastor2001
Guest

Post by LeCastor2001 »

According to the W3C html4 recommendation, the src attribute should contain an URI. According to RFC 1630, which defines the URI concept, file:// is a valid scheme. So I don't know it shouldn't work, even for security reasons. And even if there are security reasons, it should be disabled by the user.

The website is not mine, so i can't modify the html source. So to access the site, i have to use IE... Pretty annoying... And I search in the about:config page, but I haven't seen anything which could disable this...
User avatar
alanjstr
Moderator
Posts: 9100
Joined: November 5th, 2002, 4:43 pm
Location: Anywhere but here
Contact:

Post by alanjstr »

What is the path to the javascript file? file:///file.js is not a valid path unless you are using Linux and it is in your root directory. Remote web pages cannot access local javascript, either.

If it is a local html file and local js file, then src="file.js" would work.
Former UMO Admin, Former MozillaZine General Mod
I am rarely on mozillaZine, so please do not send me a private message.
My Old Firefox config files
LeCastor2001
Guest

Post by LeCastor2001 »

The src attribute looks like this : file:///C:/scripts/script.js . So it should be valid. The html file is remote, and has to access a local file. This is causing problems.

And consider that I can't change this, because it is not my website. All I can do right now is using IE, because it works. FireBird doesn't want to load the script file because of security issues...
User avatar
alanjstr
Moderator
Posts: 9100
Joined: November 5th, 2002, 4:43 pm
Location: Anywhere but here
Contact:

Post by alanjstr »

LeCastor2001 wrote:The src attribute looks like this : file:///C:/scripts/script.js . So it should be valid. The html file is remote, and has to access a local file. This is causing problems.


Yes, that would be a huge security hole. It sounds like someone coded a website wrong. Email the webmaster.
Former UMO Admin, Former MozillaZine General Mod
I am rarely on mozillaZine, so please do not send me a private message.
My Old Firefox config files
Dunderklumpen
Posts: 16224
Joined: March 9th, 2003, 8:12 am

Post by Dunderklumpen »

alanjstr wrote:
LeCastor2001 wrote:The src attribute looks like this : file:///C:/scripts/script.js . So it should be valid. The html file is remote, and has to access a local file. This is causing problems.


Yes, that would be a huge security hole. It sounds like someone coded a website wrong. Email the webmaster.


My point exactly.
LeCastor2001
Guest

Post by LeCastor2001 »

alanjstr wrote:Yes, that would be a huge security hole. It sounds like someone coded a website wrong. Email the webmaster.


Let me explain a little more in depth the situation. This website contains loads of images. In order to fasten the loading time, there is an options to download a zip containing all the images. So after decompressing the zip file, and activating the option, all images are loaded from a local folder.

But I noticed that all the javascripts used in the website are also in the zip file. So if I want to load the images locally, I have to load the javascripts locally too.

Then you'll say "yeah, but you got a DSL connexion, so loading some images doesn't take too long". The fact is that I had to change those javascripts to make them more FireBird-compatible (some little things weren't working). So I really need to load them locally.

So I have 2 choices : on one hand, use IE (crap), on the other hand change the security applied to scripts.

I think I should be able to load scripts locally for this site only (like every security options, you know, allow specific websites to do fordidden things).
User avatar
alanjstr
Moderator
Posts: 9100
Joined: November 5th, 2002, 4:43 pm
Location: Anywhere but here
Contact:

Post by alanjstr »

Its a security hole. I highly doubt it will happen. The only way you can execute the scripts locally is if you open the html locally.
Former UMO Admin, Former MozillaZine General Mod
I am rarely on mozillaZine, so please do not send me a private message.
My Old Firefox config files
LeCastor2001
Guest

Post by LeCastor2001 »

It may be a security hole, of course...

But one thing you may have missed, is that it's the only website on earth which need a local access to scripts file.

What I want is this : by default, nothing can have an access to my local file except this website.

What is the problem if I allow this website to access some files locally ? -> nothing, I believe. This is a highly trusted website, so there's no reason it can't open a poor small local file.
LeCastor2001
Guest

Post by LeCastor2001 »

Allright folks ! I found out how to do it :

just go in the about:config page, add a new boolean, named "security.checkloaduri", and set it to false.
User avatar
shadytrees
Moderator
Posts: 11743
Joined: November 30th, 2002, 6:41 am

Post by shadytrees »

So it's an optional security hole. Interesting. =)
LeCastor2001
Guest

Post by LeCastor2001 »

After thinking for a while about it, I can't figure why it is a security hole...

The website is just telling my browser to open a local script file, and launch serveral functions inside it. Nothing is returned to the server, what the script is doing is just opening some popup windows. No harm can be done to my computer, I know exactly what is in the script file (I rewritted everything)....
Post Reply