[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
RE: Access from a local file
- To: or-talk@xxxxxxxxxxxxx
- Subject: RE: Access from a local file
- From: Martin Fick <mogulguy@xxxxxxxxx>
- Date: Wed, 17 Feb 2010 14:27:50 -0800 (PST)
- Delivered-to: archiver@xxxxxxxx
- Delivered-to: or-talk-outgoing@xxxxxxxx
- Delivered-to: or-talk@xxxxxxxx
- Delivery-date: Wed, 17 Feb 2010 17:27:55 -0500
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1266445670; bh=RR6rdI7w7NqNnmdFB0EehCNeK/jnXMTjdUUWt2GFPWA=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=eLpUIHao3BVqL8rn0n87UF1oQrCxm44KHfiNWARUWwJgz/holQ3NMltO1kLHGC7SxSA/H/GtUyp+WnLepQ+CwOfqmVNhKEMGSOYyJ8X5sbdnygvm4S03+Nwd9IiFyqqvsNkbhzHaG1hwwCZsRKpD+nUH7He1whlCgIauzcM5NDM=
- Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type; b=GS0mC2cJIU465DvTB1nlST7mAFqFgdz24EFmgAjISb97a/fVfANgYui11HfrLzUb+3pliaXqNNkbovTlzrubGdAbwcJWe5OY2TBO4yCQzngzzUrQy/KM9CPtz/Kh1KtXYQgR3BlHfHNo27+FuZm+Ndz9gQIg7d2Scy6kEUD8ZII=;
- In-reply-to: <BLU120-W8B98B992C28E71BF7F99B82480@xxxxxxx>
- Reply-to: or-talk@xxxxxxxxxxxxx
- Sender: owner-or-talk@xxxxxxxxxxxxx
--- On Wed, 2/17/10, downie - <downgeoff2@xxxxxxxxxxx> wrote:
> > One of the reasons is to prevent malicious users from
> including file:// urls in an external webpage. With file://
> urls, a webpage could be designed to test for the existence
> of local files on your computer.
>
> How? Same origin policy prevents an external website from
> accessing any local files directly. And the 'onload'
> trick detailed at
> http://72.32.12.210/archives/vulnwatch/2002-q2/0032.html
> doesn't work (FF2 OSX anyway) because the images or
> Iframes never load from local resources at all.
> Do you have a Proof of Concept?
No because, as you say, it is prevented. I was explaining
WHY (or at least some reasons why) it is prevented. In
other words, I was explaining why such a policy exists in
firefox. However, I believe that you can do these things
in Internet Explorer...
-Martin
***********************************************************************
To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxxx with
unsubscribe or-talk in the body. http://archives.seul.org/or/talk/