admin管理员组

文章数量:1327127

Perhaps my searching(Google-Fu) has deserted me, but I can't find a good description of the same-origin policy for file URIs other than this outdated Mozilla page. Can anyone point me to an explanation of the same-origin policy for file URIs? In particular, if I have a script loaded from (say) file:///C:/Users/Joe/Test/test.html, what files is that script allowed to access using XMLHttpRequest? And how should I specify the URI, i.e., as relative to the script's URI?

Note that I'm not asking for a way to get around cross-origin restrictions, just an understanding of where I need resources to reside so that I can load them without triggering a cross-origin error.

Perhaps my searching(Google-Fu) has deserted me, but I can't find a good description of the same-origin policy for file URIs other than this outdated Mozilla page. Can anyone point me to an explanation of the same-origin policy for file URIs? In particular, if I have a script loaded from (say) file:///C:/Users/Joe/Test/test.html, what files is that script allowed to access using XMLHttpRequest? And how should I specify the URI, i.e., as relative to the script's URI?

Note that I'm not asking for a way to get around cross-origin restrictions, just an understanding of where I need resources to reside so that I can load them without triggering a cross-origin error.

Share Improve this question edited Nov 28, 2023 at 22:01 John Price 137 bronze badges asked Jan 18, 2018 at 2:50 Dr. PainDr. Pain 7191 gold badge7 silver badges16 bronze badges 7
  • You want to look into CORS. – StackSlave Commented Jan 18, 2018 at 2:54
  • 2 file:/// uri's work differently with respect to "same origin policy" in different browsers - chrome has a mand line flag to make them "same origin" (as they are in Firefox at least) - other browsers aren't worth talking about :p – Jaromanda X Commented Jan 18, 2018 at 2:56
  • 2 @JaromandaX +1 to your ment, but the irony is that the other browsers aren't worth talking about, specifically IE and Edge, happen to be the easiest to use for such a development scenario. They both work smoothly with file:/// and CORS bination without any need for mand line flags or any other steps. – Racil Hilan Commented Jan 18, 2018 at 3:02
  • That's why they aren't worth talking about @RacilHilan - because they work :p – Jaromanda X Commented Jan 18, 2018 at 3:17
  • 1 I think there's a less dangerous flag, --allow-file-access-from-files – Jaromanda X Commented Jan 18, 2018 at 4:13
 |  Show 2 more ments

1 Answer 1

Reset to default 7

The same-origin policy for file:/// URIs is implementation-dependent.

The W3C's CORS spec gets its definition of an "origin" from IETF RFC 6454 "The Web Origin Concept". In section 4 "Origin of a URI" it reads:

  1. If uri-scheme is "file", the implementation MAY return an implementation-defined value.

NOTE: Historically, user agents have granted content from the file scheme a tremendous amount of privilege. However, granting all local files such wide privileges can lead to privilege escalation attacks. Some user agents have had success granting local files directory-based privileges, but this approach has not been widely adopted. Other user agents use globally unique identifiers for each file URI, which is the most secure option.

Looking up the behavior (and the reasoning behind it) for specific browsers is not easy. I actually think the old Mozilla wiki page you referenced is one of the better resources on this topic. Here's a fairly helpful discussion; general guidance is to assume the browser may treat all file:/// URIs as totally unique origins.

本文标签: javascriptWhat is the SameOrigin Policy for File URIsStack Overflow