Summary: | file:// documents should not be able to open WebSocket connections | ||
---|---|---|---|
Product: | WebKit | Reporter: | Alexey Proskuryakov <ap> |
Component: | WebCore Misc. | Assignee: | Nobody <webkit-unassigned> |
Status: | NEW --- | ||
Severity: | Normal | CC: | abarth, bfulgham, joe, joenotcharles, ukai, wilander, yael |
Priority: | P2 | Keywords: | InRadar |
Version: | 528+ (Nightly build) | ||
Hardware: | All | ||
OS: | All |
Description
Alexey Proskuryakov
2009-11-12 11:39:38 PST
It's not true that XHR is forbidden - it just becomes cross-origin. So, WebSocket behavior matches current XHR behavior. XHR is not necessarily cross-origin from a file. It could be accessing another file URL or localhost or a non-standard scheme like data: or javascript (which may or may not have a parsable origin encoded in the URL). We support a number of different policies for the security origin of file URLs, including treating every file URL as a different origin (which is the most secure option). |