New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 5 users

Issue metadata

Status: WontFix
Owner:
Email to this user bounced
Closed: Oct 2013
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 2
Type: Bug



Sign in to add a comment
link

Issue 312727: <track> should be allowed from file://

Reported by phil...@opera.com, Oct 29 2013

Issue description

A document opened from file:// is currently not allowed to include a local WebVTT file, failing the cross-origin check in TextTrackLoader::load.

No other tested browser (Opera 12, Firefox Nightly, IE11) exhibits this behavior.

Apart from probably annoying Web developers, it makes it impossible to open and run some of the WebVTT LayoutTests directly.
 

Comment 1 by phil...@opera.com, Oct 29 2013

The code that makes this fail is:

bool SecurityOrigin::passesFileCheck(const SecurityOrigin* other) const
{
    ASSERT(isLocal() && other->isLocal());

    if (!m_enforceFilePathSeparation && !other->m_enforceFilePathSeparation)
        return true;

    return (m_filePath == other->m_filePath);
}

That last line is actually comparing the full paths including the filenames, so all it allows is for a file to include itself. Can this be deliberate, and is it at all useful?

Comment 2 by gl...@skynav.com, Oct 29 2013

As a work around for testing, you can use the --disable-web-security option with command shell.

Comment 3 by phil...@opera.com, Oct 29 2013

Thanks Glenn, I'll do that in the meantime.

Comment 4 by phil...@opera.com, Oct 30 2013

Status: WontFix
Closing as Won't Fix based on this email conversation with Adam Barth:

On Wed, Oct 30, 2013 at 2:10 AM, Adam Barth <abarth@chromium.org> wrote:
> On Tue, Oct 29, 2013 at 3:36 PM, Philip J├Ągenstedt <philipj@opera.com>
> wrote:
>>
>> On Tue, Oct 29, 2013 at 9:19 PM, Adam Barth <abarth@chromium.org> wrote:
>> > On Tue, Oct 29, 2013 at 6:52 AM, Philip J├Ągenstedt <philipj@opera.com>
>> > wrote:
>> >>
>> >> You seem to have done most of the reviewing in SecurityOrigin.cpp, so
>> >> could you have a look at
>> >> https://code.google.com/p/chromium/issues/detail?id=312727 ?
>> >>
>> >> I'm not sure if modifying SecurityOrigin::passesFileCheck is actually
>> >> the correct fix, so feedback on both that and the proper way to make
>> >> tracks embeddable in a file:// context would be appreciated.
>> >
>> >
>> > Do you need to use file URLs?  It's much better to make up your own
>> > scheme
>> > for local resources instead of using the file scheme.  The file scheme's
>> > security model is totally broken.
>>
>> I wanted to run some LayoutTests directly in order to attach gdb, and
>> was puzzled why it didn't work. In truth I'm not sure why the tests
>> work when run via the script either, I guess that --dump-render-tree
>> does something in addition to dumping the render tree...
>
>
> Yes, --dump-render-tree configures content_shell to run the tests.  We
> twiddle a bunch of settings, including the security model for file URLs.
>  
>>
>> Glenn told me about --disable-web-security so now I'm using that, so I
>> can survive without any changes. However, I'm guessing that Web
>> developers might have a hard time figuring out why their subtitles
>> don't work locally.
>
>
> We tell them not to run their sites locally.  It doesn't work well.
>
>> > The code in question does what we intend it to do.  It's just meant make
>> > file URLs minimally functional.  We used to run file URLs in unique
>> > origins,
>> > but that caused problems for blob URLs and the like.
>>
>> OK, that minimal functionality appeared so useless that I assumed it
>> was by mistake. However, if doing whatever other browsers do for
>> file:// isn't an option, then I'll just close my bug and learn to live
>> with it.
>
>
> Yeah, we're not happy with the behavior of other browsers.  They're trading
> aways user security for developer convenience, which isn't a trade we're
> willing to make.
>
> Adam
>

Comment 5 by vcarbune@chromium.org, Oct 31 2013

Maybe I'm wrong, but I remember there's the --allow-file-access-from-files flag that allows web devs to load resources from local files.

Comment 6 by phil...@opera.com, Oct 31 2013

There's --disable-web-security which Glenn mentioned above.

Comment 7 by phil...@opera.com, Oct 31 2013

Labels: Cr-Blink-Text-Track

Comment 8 by sshru...@google.com, May 23 2016

Components: -Blink>Text>Track Blink>Media>Track
Renamed Blink>Text>Track to Blink>Media>Track. Moving these bugs to the new component.

Comment 9 by f...@opera.com, Mar 6 2018

Cc: susanjun...@techmahindra.com yini...@chromium.org foolip@chromium.org dalecur...@chromium.org
 Issue 808826  has been merged into this issue.

Comment 10 by f...@opera.com, Mar 6 2018

 Issue 263721  has been merged into this issue.

Sign in to add a comment