Dear Internet, How happy would you be if Chrome locked down `file:` URLs, treating them as fully opaque origins instead of the weird, in-between state they're in today (see https://github.com/whatwg/html/issues/3099 …)?
not doing that would pretty directly lead to issues around content-type/charset sniffing or controlled download names, right? e.g. if someone links to a downloaded HTML file that includes some local config file as JS, or manages to load a downloaded API response as HTML, ...
-
-
e.g. Android's old browser, years ago, had a bug where local apps could dump the cookie database by storing a cookie containing an XSS payload, then forcibly loading the cookie DB as an HTML document
-
Not just Android. :( `file:` is bad, and it should feel bad.
- 2 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.