Re: [whatwg] Accessing local files with JavaScript portably and securely

We should be aware of the security risks when recommand a "simple web 

* Most (if not all) simple web servers don't block access from non-local 
hosts by default,
   which can leak users' files.  Although your firewall can block them 
for you, users do need unblock
   non-local hosts sometimes (e.g. test with a smart phone), so some may 
have whitelisted the
   server anyway.

* Even if non-local hosts are blocked, non-current users'(in the same 
OS) access can't be blocked
   easily by a web server. In contrast, file:// access is subject to 
file permission check.

* Most (if not all) simple web servers are hobby projects so probabaly 
lacks enough security audit.
   E.g. How urls like "/foo/../../../bar" are handled to prevent 
escaping from the root directory?

Those risks may be non-issue for experienced developers, but do affect 
newbie developers
and normal users. So In my opinion, it is much better to improve and 
standardize file-url
handling in browsers.


Duan, Yao

在 2017年04月10日 04:33, Gregg Tavares 写道:
> I know this doesn't address your CD-ROM/USB stick situation but FYI...
> for the dev situation there are many *SUPER* simple web servers
>  (not recommended,
> haven't tried the python 3 one)
>   (soon to be deprecated)
> more here
> On Mon, Apr 10, 2017 at 4:36 AM, Jan Tosovsky<>
> wrote:
>> On 2017-04-09 David Kendal wrote:
>>> ... there are many possible uses for local static files accessing
>>> other local static files: the one I have in mind is shipping static
>>> files on CD-ROM or USB stick...
>> In this case the file structure is fixed so it can be exported as JSON
>> file and then linked via the HTML header in every HTML file where it is
>> needed. This structure is then directly available for the further
>> processing.
>> However, I am not sure this covers your use case.
>> Jan

Received on Wednesday, 12 April 2017 05:09:11 UTC