Bug 31425
| Summary: | file:// documents should not be able to open WebSocket connections | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Alexey Proskuryakov <ap> |
| Component: | WebCore Misc. | Assignee: | Nobody <webkit-unassigned> |
| Status: | NEW | ||
| Severity: | Normal | CC: | abarth, bfulgham, joe, joenotcharles, ukai, wilander, yael |
| Priority: | P2 | Keywords: | InRadar |
| Version: | 528+ (Nightly build) | ||
| Hardware: | All | ||
| OS: | All | ||
Alexey Proskuryakov
XMLHttpRequest is now forbidden from local files, and WebSocket should be, too.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Alexey Proskuryakov
<rdar://problem/7444841>
Alexey Proskuryakov
It's not true that XHR is forbidden - it just becomes cross-origin. So, WebSocket behavior matches current XHR behavior.
Joe Andrieu
XHR is not necessarily cross-origin from a file. It could be accessing another file URL or localhost or a non-standard scheme like data: or javascript (which may or may not have a parsable origin encoded in the URL).
Adam Barth
We support a number of different policies for the security origin of file URLs, including treating every file URL as a different origin (which is the most secure option).