Dear Internet, How happy would you be if Chrome locked down `file:` URLs, treating them as fully opaque origins instead of the weird, in-between state they're in today (see https://github.com/whatwg/html/issues/3099 …)?
e.g. Android's old browser, years ago, had a bug where local apps could dump the cookie database by storing a cookie containing an XSS payload, then forcibly loading the cookie DB as an HTML document
-
-
Not just Android. :( `file:` is bad, and it should feel bad.
-
without `file:`, would there be any reason left for any part of the browser to have full filesystem access, apart from things that involve directory/file selection popups ("save as", "<input type=file>", ...)?
- 1 more reply
New conversation -
-
-
(chrome on Android now whitelists specific directories for file://)
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
i’m curious, can you share a link for that?
- End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.