什么是文件URI的同源策略？ [英] What is the Same-Origin Policy for File URIs?

问题描述

也许我的Google-Fu已经抛弃了我，但我无法找到除这个过时的Mozilla页面。有人能指出我对文件URI的同源政策的解释吗？特别是，如果我从（例如）file：/// C：/Users/Joe/Test/test.html加载了一个脚本，那么该脚本允许使用XMLHttpRequest访问哪些文件？我应该如何指定URI，即相对于脚本的URI？

请注意，我并不是要求一种解决跨源限制的方法，只需了解我需要驻留资源的位置，以便我可以加载它们而不会触发跨源错误。

解决方案

文件的同源策略：/// URI依赖于实现。

W3C的CORS规范从IETF RFC 6454Web Origin Concept。在第4节URI的来源中，它显示为：

4. 如果uri-scheme是file，则实现可以返回实现定义值。

   
   
   

   注意：从历史上看，用户代理已经从
   文件方案中授予了大量特权。但是，
   授予所有本地文件如此广泛的权限可能导致
   特权升级攻击。一些用户代理已经获得
   成功授予基于本地文件目录的权限，但
   这种方法尚未被广泛采用。其他用户代理
   为每个文件URI使用全局唯一标识符，这是
   最安全的选项。

查找特定浏览器的行为（及其背后的原因）并不容易。我实际上认为你引用的旧Mozilla wiki页面是关于这个主题的更好的资源之一。 这是一个非常有用的讨论;一般指导是假设浏览器可以将所有 file：/// URI视为完全唯一的来源。

Perhaps my Google-Fu has deserted me, but I can't find a good description of the same-origin policy for file URIs other than this outdated Mozilla page. Can anyone point me to an explanation of the same-origin policy for file URIs? In particular, if I have a script loaded from (say) file:///C:/Users/Joe/Test/test.html, what files is that script allowed to access using XMLHttpRequest? And how should I specify the URI, i.e., as relative to the script's URI?

Note that I'm not asking for a way to get around cross-origin restrictions, just an understanding of where I need resources to reside so that I can load them without triggering a cross-origin error.

解决方案

The same-origin policy for file:/// URIs is implementation-dependent.

The W3C's CORS spec gets its definition of an "origin" from IETF RFC 6454 "The Web Origin Concept". In section 4 "Origin of a URI" it reads:

4. If uri-scheme is "file", the implementation MAY return an implementation-defined value.

   NOTE: Historically, user agents have granted content from the file scheme a tremendous amount of privilege. However, granting all local files such wide privileges can lead to privilege escalation attacks. Some user agents have had success granting local files directory-based privileges, but this approach has not been widely adopted. Other user agents use globally unique identifiers for each file URI, which is the most secure option.

Looking up the behavior (and the reasoning behind it) for specific browsers is not easy. I actually think the old Mozilla wiki page you referenced is one of the better resources on this topic. Here's a fairly helpful discussion; general guidance is to assume the browser may treat all file:/// URIs as totally unique origins.

这篇关于什么是文件URI的同源策略？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！