Dear Internet, How happy would you be if Chrome locked down `file:` URLs, treating them as fully opaque origins instead of the weird, in-between state they're in today (see https://github.com/whatwg/html/issues/3099 …)?
-
Show this thread
-
Replying to @mikewest
Could we also add some obnoxious CSS styling so that small business pages stop accidentally linking to C:\Users\John Doe\Documents\Menus\Evening 2017.pdf?
1 reply 0 retweets 4 likes -
Replying to @aprilmpls
Sounds reasonable to me, though I'm less concerned about that from a security perspective because (at least in Chrome) webby pages can't navigate to or embed `file:` resources.
2 replies 0 retweets 2 likes -
Replying to @mikewest
I actually did not know that. Now I’m curious as to whether other user agents block navigations in that way.
2 replies 0 retweets 0 likes -
Replying to @aprilmpls @mikewest
not doing that would pretty directly lead to issues around content-type/charset sniffing or controlled download names, right? e.g. if someone links to a downloaded HTML file that includes some local config file as JS, or manages to load a downloaded API response as HTML, ...
1 reply 0 retweets 0 likes -
e.g. Android's old browser, years ago, had a bug where local apps could dump the cookie database by storing a cookie containing an XSS payload, then forcibly loading the cookie DB as an HTML document
3 replies 0 retweets 0 likes -
i’m curious, can you share a link for that?
1 reply 0 retweets 0 likes
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.