31425 2009-11-12 11:39:38 -0800 file:// documents should not be able to open WebSocket connections 2016-05-18 21:34:57 -0700 1 1 1 Unclassified WebKit WebCore Misc. 528+ (Nightly build) All All NEW InRadar P2 Normal --- 1 ap webkit-unassigned abarth bfulgham joe joenotcharles ukai wilander yael oldest_to_newest 162983 0 ap 2009-11-12 11:39:38 -0800 XMLHttpRequest is now forbidden from local files, and WebSocket should be, too. 168854 1 ap 2009-12-04 11:23:49 -0800 <rdar://problem/7444841> 169732 2 ap 2009-12-08 11:05:40 -0800 It's not true that XHR is forbidden - it just becomes cross-origin. So, WebSocket behavior matches current XHR behavior. 366691 3 joe 2011-03-13 00:39:44 -0800 XHR is not necessarily cross-origin from a file. It could be accessing another file URL or localhost or a non-standard scheme like data: or javascript (which may or may not have a parsable origin encoded in the URL). 366693 4 abarth 2011-03-13 00:52:07 -0800 We support a number of different policies for the security origin of file URLs, including treating every file URL as a different origin (which is the most secure option).