Bug 31425 - file:// documents should not be able to open WebSocket connections
Summary: file:// documents should not be able to open WebSocket connections
Status: NEW
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore Misc. (show other bugs)
Version: 528+ (Nightly build)
Hardware: All All
: P2 Normal
Assignee: Nobody
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2009-11-12 11:39 PST by Alexey Proskuryakov
Modified: 2016-05-18 21:34 PDT (History)
7 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexey Proskuryakov 2009-11-12 11:39:38 PST 
XMLHttpRequest is now forbidden from local files, and WebSocket should be, too.
Comment 1 Alexey Proskuryakov 2009-12-04 11:23:49 PST 
<rdar://problem/7444841>
Comment 2 Alexey Proskuryakov 2009-12-08 11:05:40 PST 
It's not true that XHR is forbidden - it just becomes cross-origin. So, WebSocket behavior matches current XHR behavior.
Comment 3 Joe Andrieu 2011-03-13 00:39:44 PST 
XHR is not necessarily cross-origin from a file. It could be accessing another file URL or localhost or a non-standard scheme like data: or javascript (which may or may not have a parsable origin encoded in the URL).
Comment 4 Adam Barth 2011-03-13 00:52:07 PST 
We support a number of different policies for the security origin of file URLs, including treating every file URL as a different origin (which is the most secure option).