(From the Phaser documentation.)
It turns out that if browsers maintained a looser policy toward the file:// protocol, it might be possible to run into code like this hypothetical attack described in a Chromium blog post:
- A local web page (accessed via “file://”) creates an \ with the source https://site-containing-your-sensitive-information.com.
- The local web page submits the contents it has read from the iframe via a form POST to a web server owned by the attacker.
The Chromium blog points out that, if run from the web rather than being accessed via file://, the same-origin policy would cause step #2 to fail consistently, making this hypothetical attack rather innocuous.
It wouldn't work if run from the local file system, either. However, the reason why it wouldn't work isn't particularly cut and dried: this hypothetical attack would actually fail in different places in different browsers, due to the way that different modern browsers deal with local web page security in the absence of a consistent way to apply the same-origin policy.
In other words, yes, it sometimes feels like a panacea to throw a simple HTTP server into a web project's directory. It's because the underlying mechanisms that disable interactions between local and external files in the browserare complicated, and for good reason!
blog comments powered by Disqus