Bug 171666

Summary: CORS execution from file:// scheme not allowed by default in STP 29
Product: WebKit Reporter: David Richardson <d.i.richardson>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: RESOLVED INVALID    
Severity: Normal CC: bfulgham, dbates, jond
Priority: P2    
Version: Safari Technology Preview   
Hardware: Mac   
OS: macOS 10.12   
Attachments:
Description Flags
A simple html file with XHR to fetch and display http://webkit.org none

David Richardson
Reported 2017-05-04 09:25:53 PDT
Created attachment 309055 [details] A simple html file with XHR to fetch and display http://webkit.org Beginning with Safari Technology Preview release 29, all CORS requests from file:// are blocked unless Disable Local File Restrictions or Disable Cross-Origin Restrictions selected from Develop menu. This behaviour is new, and not present in release versions of Safari or Webkit Nightly r216177. Load attached file in browser to test.
Attachments
A simple html file with XHR to fetch and display http://webkit.org (699 bytes, text/html)
2017-05-04 09:25 PDT, David Richardson 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Daniel Bates
Comment 1 2017-05-04 09:43:19 PDT
As it turns out the behavior change is intentional. In STP 29 we changed Develop > Disable Local File Restrictions to toggle granting universal access for non-quarantined file URLs. Formerly file URLs for non-quarantined files would be granted universal access by default and Develop > Disable Local File Restrictions did nothing. So, to opt into the old behavior enable Disable Local File Restrictions.
Daniel Bates
Comment 2 2017-05-04 09:44:06 PDT
We should update the STP 29 release notes to mention the behavior change.
Daniel Bates
Comment 3 2017-05-04 09:46:04 PDT
For Apple employees, see <rdar://problem/30383804> for more details on this change in behavior.
Brent Fulgham
Comment 4 2017-05-12 08:48:56 PDT
Note that WebKit's behavior for this now matches Chrome and Firefox.
Note You need to log in before you can comment on or make changes to this bug.