Bug 3593

Summary:

iFrame Doesn't seem to Respect a local "file://" src

Product:

WebKit

Reporter:

David Wheeler <david>

Component:

Frames

Assignee:

Maciej Stachowiak <mjs>

Status:

RESOLVED WORKSFORME

Severity:

Normal

CC:

Priority:

Version:

412

Hardware:

Mac

OS:

OS X 10.4

Attachments:

Description	Flags
Test Case	none
Improved and reduced testcase	none
A similar case that works	none

David Wheeler

Reported 2005-06-17 11:50:36 PDT

* SUMMARY When I load a page from my local file system, and point a frame to another file on my file system, the frame will not load the local page. This makes local testing difficult. * STEPS TO REPRODUCE 1. Open the test case in a text editor, and point the frame source to another file on your local file system. 2. Open the test case from your local hard drive. 3. Note how the local file does not load in the iframe, even if you use file:// 4. Change the iframe source to a page served by a Web server (e.g., http://www.apple.com/). 5. Note how the iframe now loads the page. * RESULTS Locale files do not load in iframes, while remote files served by a Web server do. * EXPECTED RESULTS I expect local files to load in iframes just like remote files do. Such is the case in Firefox. This also has ramifications for my JavaScript work, wherein I attempt to assign to frames[0].location.href and nothing happens unless the URL I assign to location is served by a Web server.

Attachments
Test Case (764 bytes, text/plain) 2005-06-17 11:51 PDT, David Wheeler	no flags	Details
Improved and reduced testcase (134 bytes, text/html) 2005-06-18 01:16 PDT, Joost de Valk (AlthA)	no flags	Details
A similar case that works (1.30 KB, application/octet-stream) 2005-08-12 09:07 PDT, Alexey Proskuryakov	no flags	Details
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.

David Wheeler

Comment 1 2005-06-17 11:51:09 PDT

Created attachment 2446 [details] Test Case

Joost de Valk (AlthA)

Comment 2 2005-06-18 01:10:34 PDT

Confirmed, but renamed. Safari doens't take file:// for iframe src, it DOES however take http://localhost/ sources.

Joost de Valk (AlthA)

Comment 3 2005-06-18 01:16:33 PDT

Created attachment 2455 [details] Improved and reduced testcase Same procedure as for the first testcase.

David Wheeler

Comment 4 2005-08-11 14:07:34 PDT

FYI, this is also an issue with XMLHttpRequest objects, too: They don't respect a local "file://" src, either.

Alexey Proskuryakov

Comment 5 2005-08-11 21:44:28 PDT

Wouldn't this allow "stealing" local documents, thus opening a security hole? For local testing, I use relative URLs, seem to work fine.

David Wheeler

Comment 6 2005-08-11 22:27:40 PDT

No, relative URLs don't work, either. That was my original report. It didn't even occur to me that file:// overall was the problem until Joost de Valk renamed this bug report. One should be able to use file:// locations (relative or absolute) if the refering document is also local.

Alexey Proskuryakov

Comment 7 2005-08-12 09:07:29 PDT

Created attachment 3354 [details] A similar case that works

Alexey Proskuryakov

Comment 8 2005-08-12 09:10:21 PDT

Indeed, I was speaking about "improved and reduced testcase" by Joost de Valk. In that case, document-relative paths DO work: simply change "file://Users/jdevalk/webkit/testcases/font- hover.html" to just "font-hover.html" (assuming you have such file in the same directory). As for your original testcase, looks like it is the first frames[0].location that really fails - both <iframe src="test.html"> and the timer work fine. This is probably a bug. Please the the attached test case "A similar case that works" for an example of what works for me. I do not think that the location of the document should affect security restrictions anyhow. Otherwise, someone could file a bug with an archived malicious testcase in WebKit bugzilla...

David Wheeler

Comment 9 2005-08-12 09:13:54 PDT

FYI, I retract my comment about XMLHttpRequest not respecting file://. It seems like Safari just sets the status to null when it's a local file. I'm not sure that's an appropriate status, but it's easy enough to check for.

David Wheeler

Comment 10 2005-08-12 09:19:19 PDT

(In reply to comment #7) > Created an attachment (id=3354) [edit] > A similar case that works Does not work for me in Safari 2.0 (412.2). Maybe you're using a build from CVS?

Alexey Proskuryakov

Comment 11 2005-08-12 10:19:33 PDT

> Does not work for me in Safari 2.0 (412.2). Maybe you're using a build from CVS? Works for me in 312, 412.2 and ToT (open try.html; "test.html" is displayed, to be replaced with "foo.html" a few seconds later)... Some timing/caching issue? My Mac is a G4/1.25DP. Regardless, something strange is certainly happening to local files. Perhaps, this issue should be renamed in a more general manner, and wait for someone to seriously look into it?

Alexey Proskuryakov

Comment 12 2005-08-14 05:13:08 PDT

BTW, the primary reason for the reduced testcase to fail is that it lacks a slash in the URL: "file://Users..."

Maciej Stachowiak

Comment 13 2005-08-14 17:36:23 PDT

As far as I can tell, the sole problem with the test case given is that it's missing a slash - it should be file:///Users/... or file://localhost/Users... (or for convenience file:/Users/...), not file://Users/... The two slashes make WebKit interpret Users as a hostname, so the path is not found. Please reopen if a syntactically correct test case shows a problem, or if there is evidence that two slashes before a path is accepted by other browsers.

David Wheeler

Comment 14 2005-08-18 08:34:56 PDT

Well, if you look at my original test case (http://bugzilla.opendarwin.org/attachment.cgi?id=2446), you'll see that it's not explicitly using file:// or a URL ending in a slash. It's just using a file name, such as "foo.html". It's a relative path. And for me, it does not load the local file in the iframe. I'm using Safari 2.0 (412.2.2). If this is fixed in CVS, then cool. I look forward to the next release!

Maciej Stachowiak

Comment 15 2005-11-10 19:16:40 PST

I can't reproduce a problem with the original test case, either in the cvs version or the version shipped in Denver. A "test.html" in the same directory loads fine as a relative reference to a local file. The absolute URLs work fine too, when I change them to paths that exist. The "improved and reduced" test case uses "file://Users" and so is buggy. I don't see a bug here that I can reproduce.

David Wheeler

Comment 16 2005-11-11 09:02:36 PST

It does seem to be fixed in 2.0.2 (416.12). Thanks.

Note You need to log in before you can comment on or make changes to this bug.