Reputation: 37581
Is it possible for a remote html file to download a file to a client?
I'm an iOS dev looking into some security aspects of a native iPhone app that loads local html pages into a UIWebView (that's the iOS class that give browsers functionality to a native app).
If the app loads a local html file and that file contains a link to an external html file then is it possible for that external file to download a file to the client (another html file or a javascript file)? My knowledge of html/javascript isn't detailed enough in this area.
E.g. If A.html is file physically present on the phone and A.html contains a href to B.html where B.html is on a server then is it possible for B.html (using whatever means) to move a file (C.html or D.js etc.) from the server onto the device?
Upvotes: 1
Views: 512
Answers (1)
Reputation: 7317
What you probably mean is : are HTML pages able to download (and potentially execute or overwrite) content/code on the device? I'm just going to assume that in the following.
First, the browser isn't supposed to be able to download anything without the user consent. That's especially true on iOS, where the browser actually can't download anything at all. (Well, you can actually download images by long-pressing on them, but they are only going to go to the Photo Roll. Any other download will just fail.)
HTML pages (and JavaScript, images, ...) are of course downloaded to the device before the browser or
UIWebViewdisplays them, but they can't access anything on the filesystem.What's more, due to the same-origin policy, a web page cannot access anything that's outside of its domain (cross-origin requests allow this, but they require the server to send a particular header).
Say your page is on
http://mywebsite.com: you can't make a request tohttp://blah.orgif it's not setup properly, or even (much more dangerous) tofile:///etc/passwd(which you have no way to setup properly).I'm not sure about local pages, but (at least on Chrome on the desktop) local web pages cannot download anything at all.
Of course, all of these are the expected behavior.
There have been cases of vulnerabilities (this one for instance) where Safari allows unprivileged access to the filesystem, but in most cases they have been patched quickly by Apple and you won't have to (and are not supposed to if you want to avoid unnecessary headaches) worry about them.
Upvotes: 1
Related Questions
- Download a file in HTML
- Download a File Using Just JavaScript
- Is it possible to make a download link for file on remote server?
- Download file/url using Javascript
- Download localfile through html
- how can I create and download the html file using clientside(javascript) code?
- Download HTML file using a tag
- downloading file from server to local machine using javascript and java
- Is it possible to download file to the server using JavaScript
- File download via JavaScript?