8

The question is based on this issue in Chromium. It is marked as Won't Fix.

Do you see any reason to block a local html file from accessing another local html file located in the same folder?

Adam Lear
  • 31,939
  • 8
  • 101
  • 125
Vanuan
  • 361
  • 1
  • 3
  • 7
  • 18
    On the contrary, I don't see any reason to allow it. – sevenseacat Apr 29 '11 at 13:59
  • 1
    What about a local webapp or an extension? Is it forced to store all its data in a single long html file? – Vanuan Apr 29 '11 at 15:01
  • 2
    @Karpie I agree with your basic theory, but at the same time disagree with the realistic application. There is a marked difference between academic and applied and, in this case, the suggested workarounds (ie., setting up another server, using security-disabling flags, etc.) seem worse than having an established model where "File in X directory has read permissions on other files in X directory". Perfect? No. Better than kludgy alternatives? Maybe? The example case of "many applications are using HTML help docs" seems a reasonable real-world scenario. – Farray May 04 '11 at 09:20
  • If you want, you can try this over at http://security.stackexchange.com/ – AviD May 11 '11 at 19:07
  • 2
    @Karpie - you should explain why rather than just tossing in a throw-away like that. Not everyone understands security implications. Educating about what seems to be a fair question would be nice. – quickly_now May 30 '11 at 04:36
  • @Karpie: Just because you can't visualize it doesn't mean anyone wont need it. The world is full of so many unique problems. – Geek May 30 '11 at 06:09
  • @Vanuan: You can still include Javascript, CSS files and link to other local HTML files. – Philip Nov 01 '11 at 21:39
  • @sevenseacat, Ease of development – Pacerier Aug 06 '17 at 07:24

2 Answers2

3

I know this is an old question, but I didn't see this important fact mentioned anywhere:

Chrome allows you to add a folder on your file system as a local Web application. Once you do that, files in that folder no longer need to be accessed through the file: protocol -- they become accessible through the chrome-extension:// protocol, e.g., chrome-extension://[app_id]/somefile.html. When accessing your files this way, the restrictions on local file access do not apply.

True, you need to write a small, three-line manifest.json file [1] that specifies the name of your application, but if you want to use multiple local files as a local Web application, it makes some sense, security-wise, to require that you use Chrome's extension architecture to indicate clearly what folders on your hard drive should be accessed like Web applications. That way, Chrome can assume that everything else on your hard drive is not a Web application, and lock down permissions on non-app HTML files that get loaded in the browser. The addition of the manifest.json file adds only a few bytes to your folder, and it doesn't get in the way if you want to use your files in some other browser that does allow unfettered file access.

apsillers
  • 5,083
  • 25
  • 33
3

I don't know the real answer, but here's a good guess:

It's common to use File -> Save As... to save HTML to a file. Often users will save HTML files from different web sites to the same directory (perhaps named "Downloads"). Allowing one of these files to access the other (and possibly upload it somewhere) would be a privacy leak.

Since there are more users than developers and users are less security-aware on average, protecting users probably seems more important.

Even without this feature, it's still possible to create web applications that work offline. See: http://diveintohtml5.org/offline.html

Brian Slesinsky
  • 216
  • 1
  • 3