I have a problem viewing HTML/JS/CSS files generated on disk. Specifically, seve

Question

I have a problem viewing HTML/JS/CSS files generated on disk. Specifically, several calls in javascript are blocked by Google Chrome. I googled and found an answer here: https://stackoverflow.com/questions/21408510/chrome-cant-load-web-worker. In the end, I have to go an extra mile to install and run a websever on my machine so that I can properly view website hosted on my own filesystem.

However, I don't understand the reasoning. Why does the browser implement stricter policy for local files? Aren't files already on my disk more trustworthy than those loaded from remote sites?

Explanation / Answer

No.

Expected local HTML use case for normal (ie non-developer) users is they've gone to a web page, wanted to view it offline, and used the browser's Save As functionality to make a local copy. This does not imply any level of trust between the user and the operator of the site hosting that page and should not, in general, give that operator access to read other files from the user's hard disc.

In days of old, IE used to grant greater permissions to HTML on the local filesystem. The upshot was a ton of security holes, in that any application that could be persuaded to save a file containing HTML to a predictable path could typically be exploited to execute attacker code.

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.