[webkit-dev] Distinction between local and non-local URIs

Cedric Sodhi manday at gmx.net
Wed Oct 12 12:25:40 PDT 2011


I'm of the opinion that there is no need to distinguish between local
and non-local schemes, such as it is in the case where a non-local (say,
http) URI cannot load or embed a local (say, file) scheme.

I've heard that there must have been reasons for such a restriction to
be introduced.

I hereby would like to reaccess those reasons and ask the people who
originally drove the implementation to justify that restriction with
regard to contemporary security issues.

As a preclaimer to any argument I would like to cleary state that there 

IS NO INTRINSIC DIFFERENCE BETWEEN LOCAL AND NON-LOCAL RESOURCES.

Both have equal rights to demand security. The only difference lies in
the protocol being used to access them and what has to considered a
distinct domain with regard to same-origin-policy.

For reading, it's of no relevance, whether a file is at file:// ,
http:// , ftp:// , scp:// , or etc.

Hence, limitations randomly imposed on either of the schemes are
superflous and a wrong approach to whatever possible security
considerations might have been made.
-- 
regards,
ManDay


More information about the webkit-dev mailing list