Bug 171666 - CORS execution from file:// scheme not allowed by default in STP 29
Summary: CORS execution from file:// scheme not allowed by default in STP 29
Status: RESOLVED INVALID
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: Safari Technology Preview
Hardware: Mac macOS 10.12
: P2 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-05-04 09:25 PDT by David Richardson
Modified: 2017-05-12 08:48 PDT (History)
3 users (show)

See Also:


Attachments
A simple html file with XHR to fetch and display http://webkit.org (699 bytes, text/html)
2017-05-04 09:25 PDT, David Richardson
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description David Richardson 2017-05-04 09:25:53 PDT
Created attachment 309055 [details]
A simple html file with XHR to fetch and display http://webkit.org

Beginning with Safari Technology Preview release 29, all CORS requests from file:// are blocked unless Disable Local File Restrictions or Disable Cross-Origin Restrictions selected from Develop menu.
This behaviour is new, and not present in release versions of Safari or Webkit Nightly r216177.

Load attached file in browser to test.
Comment 1 Daniel Bates 2017-05-04 09:43:19 PDT
As it turns out the behavior change is intentional. In STP 29 we changed Develop > Disable Local File Restrictions to toggle granting universal access for non-quarantined file URLs. Formerly file URLs for non-quarantined files would be granted universal access by default and Develop > Disable Local File Restrictions did nothing. So, to opt into the old behavior enable Disable Local File Restrictions.
Comment 2 Daniel Bates 2017-05-04 09:44:06 PDT
We should update the STP 29 release notes to mention the behavior change.
Comment 3 Daniel Bates 2017-05-04 09:46:04 PDT
For Apple employees, see <rdar://problem/30383804> for more details on this change in behavior.
Comment 4 Brent Fulgham 2017-05-12 08:48:56 PDT
Note that WebKit's behavior for this now matches Chrome and Firefox.