trunk has ongoing protection against stealing local files when a local file is opened. this may be circumvented via save web page complete img src="file:///etc/passwd" is saved in the saved directory and then easily accessed from js because it is in known subdirectory.

branch is affected, but it is directly broken locally.

<img src="file:///foo"> should be a broken image, we shouldn't be making copies of things we don't let you link to in the first place!

it is a broken image. something makes a local copy of a local file in known subdirectory. javascript: uris don't seem to work at first sight.

css hides the broken image and the iframe's: <img id="im1" src="file:///etc/passwd" style='visibility: hidden' />

note that this works for any accessible web resources, not just files.

another exploit vector via file in same directory: main page <iframe src="http://secret/secret.html"> <iframe src="/exploit.html"> save complete main page. in page_files: ./exploit.html ./secret.html exploit can easily read secret if allowed to read files in same directory.

Related to bug 332676?

(In reply to comment #7) > Related to bug 332676? > yes, the intranet stuff seems the same.

Dan: Not sure what to do about this one as far as blocking goes? Is there anything we can really do here?

Dan, need your input here.

I don't think we can block on this, especially if it's something we've already shipped.

Dan, is this something we should fix?

I believe that we should move to the same model as Chrome is using. I.e. each file loaded through file:// is considered a separate origin. This will however screw website development quite a bit. So we should enable configuring directories where everything inside of such a configured directory is considered same-origin. So a developer can set up /users/sicking/projects/mywebsite as being a website, which means that all files under that directory is same-origin with all other files in that directory. We could even allow configuring that all files in that directory is same-origin with a particular http(s) website. That would likely even further help developers. I don't know if we have a bug in place for anything like that. But it's something that I'd love to see built, both for security purposes, and because it'd be an awesome developer feature.

(In reply to Sid Stamm [:geekboy or :sstamm] from comment #12) > Dan, is this something we should fix? It's not the highest priority, but saving files locally is still a fairly common activity so yes, I don't think we should wontfix this bug. Maybe we should un-hide it and make it a mentored bug.