[webkit-dev] Distinction between local and non-local URIs

Adam Barth abarth at webkit.org
Wed Oct 12 12:40:23 PDT 2011

As far as I know, every modern browser prevents non-local HTML
document (e.g., those with http or https schemes) from embedding
resources (e.g., images or iframes) from the local file system.

This restriction prevents remote parties from probing the user's local
file system for information.  For example, if we didn't implement this
restriction, a web page could detect whether you had a particular
piece of software installed on your computer by embedding images that
program stores at predictable locations on disk.  If the software
package is installed, those images would load correct and their height
and width would affect layout.  If not, the image load would error

You seem somewhat upset about this policy, but please understand that
we implement the restriction to improve the privacy and security of
our users.  If you're embedding WebKit in your application, there is a
setting for disabling this protection if it's not appropriate for your
application.  Hopefully this email will give you some context for why
we implement this restriction.

Thanks for the feedback, and I hope you find WebKit useful.


On Wed, Oct 12, 2011 at 12:25 PM, Cedric Sodhi <manday at gmx.net> wrote:
> I'm of the opinion that there is no need to distinguish between local
> and non-local schemes, such as it is in the case where a non-local (say,
> http) URI cannot load or embed a local (say, file) scheme.
> I've heard that there must have been reasons for such a restriction to
> be introduced.
> I hereby would like to reaccess those reasons and ask the people who
> originally drove the implementation to justify that restriction with
> regard to contemporary security issues.
> As a preclaimer to any argument I would like to cleary state that there
> Both have equal rights to demand security. The only difference lies in
> the protocol being used to access them and what has to considered a
> distinct domain with regard to same-origin-policy.
> For reading, it's of no relevance, whether a file is at file:// ,
> http:// , ftp:// , scp:// , or etc.
> Hence, limitations randomly imposed on either of the schemes are
> superflous and a wrong approach to whatever possible security
> considerations might have been made.
> --
> regards,
> ManDay
> _______________________________________________
> webkit-dev mailing list
> webkit-dev at lists.webkit.org
> http://lists.webkit.org/mailman/listinfo.cgi/webkit-dev

More information about the webkit-dev mailing list