[webkit-dev] Distinction between local and non-local URIs
Cedric Sodhi
manday at gmx.net
Wed Oct 12 12:25:40 PDT 2011
I'm of the opinion that there is no need to distinguish between local
and non-local schemes, such as it is in the case where a non-local (say,
http) URI cannot load or embed a local (say, file) scheme.
I've heard that there must have been reasons for such a restriction to
be introduced.
I hereby would like to reaccess those reasons and ask the people who
originally drove the implementation to justify that restriction with
regard to contemporary security issues.
As a preclaimer to any argument I would like to cleary state that there
IS NO INTRINSIC DIFFERENCE BETWEEN LOCAL AND NON-LOCAL RESOURCES.
Both have equal rights to demand security. The only difference lies in
the protocol being used to access them and what has to considered a
distinct domain with regard to same-origin-policy.
For reading, it's of no relevance, whether a file is at file:// ,
http:// , ftp:// , scp:// , or etc.
Hence, limitations randomly imposed on either of the schemes are
superflous and a wrong approach to whatever possible security
considerations might have been made.
--
regards,
ManDay
More information about the webkit-dev
mailing list