JD writes:
On 07/02/2011 02:42 PM, Sam Sharpe wrote: > On 2 July 2011 22:20, JD<jd1008@xxxxxxxxx> wrote:>> On my machine, when I disable javascript, it is unable to display my files.>> I understand that the browser is supposed to be able to display your files >> with the file:/// URL. >> I just was not expecting my router to issue a javascript to >> to access my files. And my concern is that any web site can issue a >> javascript to access personal files; and most people are unaware of this, >> because they are not techies, and do not understand what javascripts >> are capable of doing. > I don't think you understand. Your browser can access your local > files. It is doing so via a file:/// URL. This is not a problem with > javascript, this is a feature of your browser. To check this, please > type in "file:///" into your browsers address bar manually and you > will see that there is no difference in the behaviour. I repeat, this > is not a javascript problem and you are getting hysterical over > nothing. > > It is not a security risk because it is showing you the files you have > access to on your machine. Javascript has absolutely nothing to do > with it apart from sending *you* to the URL. > When I disabled javascript, the the link in the router's page could no longer open file:///
What you're missing is that a remote server's ability to instruct your web browser to open the contents of file:/// URL is limited to precisely that: your web browser opening and displaying the contents of file:///. The remote server's javascript has no means of accessing the contents of file:///. Once your web browser opens file:///, the previous page from the remote server is closed, together with all the javascript that was in it.
If file:/// gets opened in a separte window or a tab, as can be done, the javascript running from another window or tab still has no means of accessing the contents of another scope, as well. Javascript can only access resources that originate from the same scope.
This is a well-understood security model. There have been isolated instances in the past, where flaws were discovered in some individual browser's security model that allowed some mechanism for running Javascript to access content from another scope; occasionally a common flaw was found that was shared by several browsers.
Barring your wonderrouter leveraging some hereto unknown security exploit, all that your wonderrouter is doing is the equivalent of the HTML that reads
<a href="file:///">Y0U h4ve b33n p0wned</a> …yawn…
Attachment:
pgpZbZ4zgCf9A.pgp
Description: PGP signature
-- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
