Reputation: 4855
Trying to better understand cross-origin handling difference between Chrome and Firefox
Background
I initially wanted to create documentation for my applications as simple local html files on disk. To serve this purpose documentation was thought to be organized as follow:
doc
├── index.html
└── resources
├── includes
│ ├── part1.html
│ ├── part2.html
│ └── part3.html
└── scripts
├── makedoc.js
└── jquery-3.1.1.min.js
So that documentation could simply open in default web-browser when clicking on index.html (or via mean of open command in my application). And index.html was just thought as a container to help breaking-up documentation in smaller partxx.html pieces:
<!DOCTYPE html>
<html>
<head>
<script src="./resources/scripts/makedoc.js"></script>
<script src="./resources/scripts/jquery-3.1.1.min.js"></script>
<script>$(document).ready(function() { replaceBodyParts(); }</script>
</head>
<body>
<div replaceWith="./resources/includes/part1.html"></div>
<div replaceWith="./resources/includes/part1.html"></div>
<div replaceWith="./resources/includes/part3.html"></div>
</body>
Just using replaceBodyParts and jQuery to replace div with real content + auto-numbering sections, etc...
Problem
When opening documentation in Firefox (version 49.0.2), there is no issue, great! ... When opening documentation in Chrome (version54.0.2840.71 m), I get the following error:
Cross origin requests are only supported for protocol schemes: http, data, chrome, chrome-extension, https, chrome-extension-resource
Question
After reading other threads about this I clearly understand security concerns about accessing local file system from external domain. My question is more why it works in firefox and no in chrome (even recent releases):
- Does this mean Firefox is more clever to understand that
index.htmlbeing opened locally, there is no cross-origin issue ? - Or does this mean Firefox is less secured on that point than Chrome ?
NB: I'm not interested in solutions like instantiating local web-server, or change chrome settings. This is local documentation that user should be able to open simply (even it forces them to use firefox rather than chrome to read it - or if it forces me to abandon the idea of splitting documentation is small parts -).
Upvotes: 1
Views: 281
Answers (1)
Reputation: 943510
Firefox is clearly less secured, it deliberately allows something that Chome locks down. (Specifically, Firefox allows a script running in an HTML page to read a local file when the HTML file is also a local file AND in the same or higher directory on the user's filesystem. Chrome just has a blanket ban on reading from the filesystem.).
Whether that is something that should be secured is largely a matter of opinion about the relative merits of convenience and functionality Vs the likelyhood of someone managing to engineer a situation where it can be exploited.
The developers of Firefox and Chrome clearly have different opinions on that front.
Upvotes: 2
Related Questions
- CORS works in chrome but not firefox, angularjs
- CORS header ‘Access-Control-Allow-Origin’ does not match in firefox, works in chrome
- Why does a legitimate cors request that works on Chrome fail on FireFox?
- Confusion over how Cross Origin Resource Sharing (CORS) works
- CORS synchronous requests not working in firefox
- Firefox Does not allow CORS request even when the server returns the appropriate response header
- CORS not working on Chrome/Firefox and Apache
- Why Chrome and Firefox have not the same behaviour with CORS ajax call with basic auth?
- Why will disabling Browser Web Security (e.g. Chrome) help doing Cross-Site-Requests?
- Are there substantial differences in the way browsers implement the same-origin policy?