Re: HTTP status code equivalents for file:// operations - compat with xhr from Michael A. Puls II on 2009-08-19 (public-webapps@w3.org from July to September 2009)

From: Michael A. Puls II <shadow2531@gmail.com>
Date: Tue, 18 Aug 2009 20:21:02 -0400
To: "Adam Barth" <w3c@adambarth.com>
Cc: timeless@gmail.com, "Anne van Kesteren" <annevk@opera.com>, public-webapps@w3.org
Message-ID: <op.uyvu9cb01ejg13@sandra-svwliu01>

On Tue, 18 Aug 2009 20:14:00 -0400, Adam Barth <w3c@adambarth.com> wrote:

> On Tue, Aug 18, 2009 at 3:38 PM, Michael A. Puls  
> II<shadow2531@gmail.com> wrote:
>> On Tue, 18 Aug 2009 18:10:41 -0400, Adam Barth <w3c@adambarth.com>  
>> wrote:
>>> Mozilla does indeed separate by directory in an
>>> interesting way.
>>
>> Is the exact way documented that you know of?
>
> There's is some description on the Mozilla developers wiki, but the
> implementation didn't match that description last time I investigated
> this topic.

Thanks. Here's what I see:

Page: file:///c:/documents%20and%20settings/user/desktop/test.html

File to fetch with "GET" and XHR - result

Opera
file:///d:/test.txt - allowed
file:///c:/test.txt - allowed
file:///c:/documents%20and%20settings/user/test.txt - allowed
test.txt - allowed
dir/test.txt - allowed
../test.txt - allowed
http://www.google.com/webhp - Security violation exception
file_that_does_not_exist.txt - No exception thrown, but responseText is  
empty

Safari
file:///d:/test.txt - allowed
file:///c:/test.txt - allowed
file:///c:/documents%20and%20settings/user/test.txt - allowed
test.txt - allowed
dir/test.txt - allowed
../test.txt - allowed
http://www.google.com/webhp - allowed
file_that_does_not_exist.txt - No exception thrown, but responseText is  
empty

Firefox:
file:///d:/test.txt - "Access to restricted URI denied" exception
file:///c:/test.txt - "Access to restricted URI denied" exception
file:///c:/documents%20and%20settings/user/test.txt - "Access to  
restricted URI denied" exception
test.txt - allowed
dir/test.txt - allowed
../test.txt - "Access to restricted URI denied" exception
http://www.google.com/webhp - No exception thrown, but responseText is  
empty
file_that_does_not_exist.txt - "Access to restricted URI denied" exception

Things that could be improved:

1. For Firefox and file_that_does_not_exist.txt, "Access to restricted URI  
denied" isn't the best message. Something like "file not found" would be  
way better.

2. For Firefox, http://www.google.com/webhp should throw an exception  
instead of just making responseText "".

3. For Safari, http://www.google.com/webhp should throw an exception.

4. For Opera and Safari, file_that_does_not_exist.txt, should throw an  
exception instead of responseTxt just being "".

5. For Opera and Safari, file:///d:/test.txt, file:///c:/test.txt,  
file:///c:/documents%20and%20settings/user/test.txt and ../test.txt should  
all throw an exception like Firefox does.

Firefox only allowing access to files in  
"file:///c:/documents%20and%20settings/user/desktop/" and its  
subdirectories seems great.

>> If you have access to dev and try to load a path to a current device,  
>> what
>> happens in browsers currently?
>
> I recommend the experimental method.  :)

Gotcha.

-- 
Michael

Received on Wednesday, 19 August 2009 00:21:44 UTC