New issue
Advanced search Search tips

Issue 839679 link

Starred by 1 user

Issue metadata

Status: WontFix
Owner: ----
Closed: May 2018
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

Misbehaving CORS when accessing files

Reported by m...@mail.ru, May 4 2018

Issue description

UserAgent: Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0

Steps to reproduce the problem:
1. Consider the following local FS directories structure

/home/me/app (*a root of local JS application*)

then below it

app/
 \_index.html
 \_js/
 \_cards/
   \_fragment-1.html
   \_fragment-2.html

2. Then, by any means, try to make xhr request to ./cards/fagment-1.html
3. the request is failing with "Failed to load file:///home/me/app/cards/fragment-1.html: Cross origin requests are only supported for protocol schemes: http, data, chrome, chrome-extension, https"

What is the expected behavior?
Expected behavior is seamless access to the file

What went wrong?
Actually, CORS is inappropriate there. As per https://tools.ietf.org/html/rfc6454#section-5,
----
   Two origins are "the same" if, and only if, they are identical.  In
   particular:

   o  If the two origins are scheme/host/port triples, the two origins
      are the same if, and only if, they have identical schemes, hosts,
      and ports.

   o  An origin that is a globally unique identifier cannot be the same
      as an origin that is a scheme/host/port triple.

   Two URIs are same-origin if their origins are the same.
---

Well, we do not have, for sure, neither host nor port there in file:// scheme,
however semantically (and intuitively) a "host" for file:// is the directory
origin of host file, '/home/me/app' for the document source 'file:///home/me/app/index.html'

Thus all that below is expected to be just an equivalent of relative URIs for
'regular' schemes like 'http://', 'https://', and consequently all that above it
is a different 'host'

So why CORS is appearing there? Any thoughts?

Thanks

Did this work before? N/A 

Chrome version: 66.0.3359.139 (Официальная сборка) Arch Linux (64 бит)  Channel: stable
OS Version: Arch x64
Flash Version: none
 
app.tar.xz
696 bytes Download
Labels: Needs-Triage-M66

Comment 2 by bokan@chromium.org, May 4 2018

Components: -Blink Blink>SecurityFeature

Comment 3 by ricea@chromium.org, May 7 2018

Status: WontFix (was: Unconfirmed)
This is working as intended. Each file in the filesystem is treated a separate origin. This has been Chrome's policy for a very long time and is unlikely to change. There are many discussions of this on the web.

Sign in to add a comment