尝试更好地了解Chrome和Firefox之间的跨源处理差异 [英] Trying to better understand cross-origin handling difference between Chrome and Firefox
问题描述
背景
我最初想为磁盘上的简单本地html 文件创建我的应用程序的文档。为了达到这个目的,文件被认为组织如下:
doc
├──index.html
└──资源
├──包括
│├──part1.html
│├──part2.html
│└──part3.html
└──scripts
├──makedoc.js
└──jquery-3.1.1.min.js
因此,当点击 index.html (或通过 index.html 只是作为一个容器来帮助分解较小的 partxx.html 件: / p>
<!DOCTYPE html>
< html>
< head>
< script src =./ resources / scripts / makedoc.js>< / script>
< script src =./ resources / scripts / jquery-3.1.1.min.js>< / script>
< script> $(document).ready(function(){replaceBodyParts();}< / script>
< / head>
< body>
< div replaceWith =./ resources / includes / part1.html>< / div>
< div replaceWith =./ resources / includes / part1.html>< / div&
< div replaceWith =./ resources / includes / part3.html>< / div>
< / body>
只需使用 replaceBodyParts 和 jQuery 用实际内容+自动编号部分等替换 div ...
问题
在Firefox(49.0.2版)中打开文档时,没有问题,太棒了!在Chrome中打开文档(版本54.0.2840.71 m)时,出现以下错误:
跨协议计划:http,data,chrome,chrome-extension,https,chrome-extension-resource
问题
阅读其他线程关于这我清楚地了解从外部域访问本地文件系统的安全问题。我的问题是更多为什么它的工作原理在firefox和没有铬(甚至最近的版本):
- 这意味着Firefox更聪明地了解
index.html在本地打开,没有跨源问题?
我对像实例化本地Web服务器或更改Chrome设置的解决方案不感兴趣。这是本地文档,用户应该能够简单地打开(即使它强制他们使用firefox而不是chrome阅读它 - 或者如果它迫使我放弃拆分文档的想法是小部分)。
Firefox显然不那么安全,它故意允许Chome锁定的东西。 (具体来说,Firefox允许在HTML页面中运行的脚本在HTML文件也是本地文件时在用户的文件系统上的相同或更高的目录中读取本地文件,Chrome只是全面禁止从文件系统读取。 )。
这是否应该保护应该是安全的,这在很大程度上是关于方便性和功能的相对优点的问题与可能的
Firefox和Chrome的开发人员在这方面显然有不同的意见。
Background
I initially wanted to create documentation for my applications as simple local html files on disk. To serve this purpose documentation was thought to be organized as follow:
doc
├── index.html
└── resources
├── includes
│ ├── part1.html
│ ├── part2.html
│ └── part3.html
└── scripts
├── makedoc.js
└── jquery-3.1.1.min.js
So that documentation could simply open in default web-browser when clicking on index.html (or via mean of open command in my application). And index.html was just thought as a container to help breaking-up documentation in smaller partxx.html pieces:
<!DOCTYPE html>
<html>
<head>
<script src="./resources/scripts/makedoc.js"></script>
<script src="./resources/scripts/jquery-3.1.1.min.js"></script>
<script>$(document).ready(function() { replaceBodyParts(); }</script>
</head>
<body>
<div replaceWith="./resources/includes/part1.html"></div>
<div replaceWith="./resources/includes/part1.html"></div>
<div replaceWith="./resources/includes/part3.html"></div>
</body>
Just using replaceBodyParts and jQuery to replace div with real content + auto-numbering sections, etc...
Problem
When opening documentation in Firefox (version 49.0.2), there is no issue, great! ... When opening documentation in Chrome (version54.0.2840.71 m), I get the following error:
Cross origin requests are only supported for protocol schemes: http, data, chrome, chrome-extension, https, chrome-extension-resource
Question
After reading other threads about this I clearly understand security concerns about accessing local file system from external domain. My question is more why it works in firefox and no in chrome (even recent releases):
- Does this mean Firefox is more clever to understand that
index.htmlbeing opened locally, there is no cross-origin issue ? - Or does this mean Firefox is less secured on that point than Chrome ?
NB: I'm not interested in solutions like instantiating local web-server, or change chrome settings. This is local documentation that user should be able to open simply (even it forces them to use firefox rather than chrome to read it - or if it forces me to abandon the idea of splitting documentation is small parts -).
Firefox is clearly less secured, it deliberately allows something that Chome locks down. (Specifically, Firefox allows a script running in an HTML page to read a local file when the HTML file is also a local file AND in the same or higher directory on the user's filesystem. Chrome just has a blanket ban on reading from the filesystem.).
Whether that is something that should be secured is largely a matter of opinion about the relative merits of convenience and functionality Vs the likelyhood of someone managing to engineer a situation where it can be exploited.
The developers of Firefox and Chrome clearly have different opinions on that front.
这篇关于尝试更好地了解Chrome和Firefox之间的跨源处理差异的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
