for pref controlled schemes, allow accecs if source scheme is chrome or res here comes a patch. please review (somewhat scary).

see #167891 for some xul / js that requires this. it's a xul window, with a browser element, and the src of the element is set to a file:// url (to a html file on disk)

Personally I think we should change file: to AllowAccess -- we're breaking a lot of people on intranets and I don't see the security gain. Or default the pref to true and let paranoids turn it off if we find a problem. But chrome should definitely be able to access file: so I'll sr= this if Mitch gives the r=

Comment on attachment 98856 [details] [diff] [review] patch, please review carefully, I'm not a caps or security expert. sr=dveditz if mstoltz gives the r=/moa=

Comment on attachment 98856 [details] [diff] [review] patch, please review carefully, I'm not a caps or security expert. Dan - yes, I think we should eventually make file: be an AllowProtocol, although I want to add a lower-level check to prevent accessing /dev/* files and the like. But that will require a lot of caution, so let's do this for now. r=mstoltz.

fixed. thanks all.

Marking verified as per above developer comments.