[webkit-help] How to load a file:// image from a webview loaded with a base URL?

Dan Wood dw43031apple at karelia.com
Fri Jun 25 13:35:21 PDT 2010


The Base URL is an http:// URL.

So your security assumption is correct.  However, it seems that there ought to be a way to allow the developer to override this for cases like mine (which I am loading a fixed URL, with my own specific content, so no security hole there) or Daniel's (where it is the author of a blog post working on their own content.

The workarounds seem ... well, really like a lot of work for a simple thing.  I'm not really sure if I want to be messing with custom URL types for what is just a simple status display. :-)

Any hints on +[WebView _addOriginAccessWhitelistEntryWithSourceOrigin:destinationProtocol:destinationHost:allowDestinationSubdomains:] ?

That seems like the most obvious work-around, with no custom URL schemes required....




On Jun 25, 2010, at 8:32 AM, Adam Roben wrote:

> On Jun 24, 2010, at 3:37 PM, Dan Wood wrote:
> 
>> I'm seeing an odd behavior, and I wonder if it is a regression in Safari 5's webkit, and if there is a workaround.
>> 
>> I have an HTML string which I have loaded up from a remote website, and modified slightly to include an image with a source of a local file:// URL.
>> 
>> Then I try to load it into my webview with -[WebFrame loadHTMLString:baseURL:]. I pass in the base URL so that the images with relative paths will show properly.
> 
> What is the scheme of the base URL you're passing in?
> 
>> This works fine, except that my file:// image does not load!  It's not even requested, if I monitor the resource load delegate!
>> 
>> The markup seems fine, and it has definitely been parsed when I examine my WebView with the inspector.  Just, no request for the image.
> 
> WebKit considers certain URL schemes to be "local". One of these is file:. Pages with non-local schemes aren't allowed to load resources from local schemes for security reasons. (E.g., it would be bad if http://www.example.com/ could use <iframe src=file:///etc/passwd> to read your passwords!)
> 
> My guess is that the base URL you're passing has a non-local scheme.
> 
>> If I try to load the HTML with a nil base URL, then my file://-URL-based image shows up just fine.
> 
> When you pass no base URL, WebKit makes up a unique URL that uses the applewebdata: scheme. WebKit treats this scheme as a local scheme, so you can load other local resources (such as file: resources). I believe this is done for compatibility reasons.
> 
>> This seems like either like a regression -- I can't believe that a base URL would affect being able to load up a local URL.  Or is this actually as expected?
> 
> As I've described above, this is expected.
> 
>> Any ideas on a workaround?  (I tried splicing in <base href=...> instead of the base URL; the problem is that the initial request becomes about:blank, so links to "#" sections don't work.  I guess I can put my local image up on the web...)
> 
> One workaround is to use a custom URL scheme for your base URL, and to tell WebKit to treat that scheme as a local scheme. You can do this with +[WebView registerURLSchemeAsLocal:].
> 
> A potentially better workaround is to use a custom URL scheme to load local resources, rather than using file: directly. An NSURLProtocol subclass can be used to implement this. I say this is "potentially better" because you can make your NSURLProtocol subclass restrict which files can be loaded (while with file: you'd be allowing any file on the whole system to be loaded).
> 
> -Adam
> 

--
Dan Wood
dwood at karelia.com
Twitter: http://twitter.com/danwood
Karelia Software — Sandvox for the Mac
http://www.karelia.com/

Do not wait to strike till the iron is hot; but make it hot by striking. — William Butler Yeats






More information about the webkit-help mailing list