From Bugzilla Helper: User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.0.0+) Gecko/20020430 BuildID: 2002043010 The XMLHttpRequest object allows reading of local files by blindly following server-side redirections. By directing the "open" method to a web page that will redirect to a local/remote file it is possible to fool Mozilla into thinking it's still in the allowed zone, therefore allowing us to read it. It is then possible to inspect the content by using the responseText property. Reproducible: Always Steps to Reproduce: 1. Go to URL specified above 2. Scroll to Demonstration heading 3. Specify local file name and click "sniff" button Actual Results: I was able to pull the contents of various text files from my local computer, both in the root of c:\ and in my c:\winnt directory. This is supposedly the same bug fixed a couple of months ago in IE (see URL for more info). Expected Results: Moz should have refused to access a local file. IMO this is a very serious security bug that should be quickly fixed. I'm listing severity as Major, because a major feature of the browser should be security.

Duplicate of "XMLHttpRequest allows reading of local files" (please search for dups before posting!) *** This bug has been marked as a duplicate of 141061 ***

v

bzbarsky: re: "please search for dups before posting!" The original bug was only made public at 15:39, which is roughly 20 minutes before this one was filed. So it is possible that the reporter *did* search for dups before filing this one, but just couldn't see it. :-)