Bug 31425

Summary: file:// documents should not be able to open WebSocket connections
Product: WebKit Reporter: Alexey Proskuryakov <ap>
Component: WebCore Misc.Assignee: Nobody <webkit-unassigned>
Status: NEW ---    
Severity: Normal CC: abarth, bfulgham, joe, joenotcharles, ukai, wilander, yael
Priority: P2 Keywords: InRadar
Version: 528+ (Nightly build)   
Hardware: All   
OS: All   

Description Alexey Proskuryakov 2009-11-12 11:39:38 PST
XMLHttpRequest is now forbidden from local files, and WebSocket should be, too.
Comment 1 Alexey Proskuryakov 2009-12-04 11:23:49 PST
<rdar://problem/7444841>
Comment 2 Alexey Proskuryakov 2009-12-08 11:05:40 PST
It's not true that XHR is forbidden - it just becomes cross-origin. So, WebSocket behavior matches current XHR behavior.
Comment 3 Joe Andrieu 2011-03-13 00:39:44 PST
XHR is not necessarily cross-origin from a file. It could be accessing another file URL or localhost or a non-standard scheme like data: or javascript (which may or may not have a parsable origin encoded in the URL).
Comment 4 Adam Barth 2011-03-13 00:52:07 PST
We support a number of different policies for the security origin of file URLs, including treating every file URL as a different origin (which is the most secure option).