From MozillaZine Knowledge Base
- Note: The ability to open local file links using the methods listed in this article has been removed in Firefox 29 (see bug 995943, fixed in Firefox 30). For more information see Site Compatibility for Firefox 29 - Security (MDN). Related discussion here and in this Mozilla Support thread.
For security purposes, Mozilla applications block links to local files (and directories) from remote files. This includes linking to files on your hard drive, on mapped network drives, and accessible via Uniform Naming Convention (UNC) paths. This prevents a number of unpleasant possibilities, including:
- Allowing sites to detect your operating system by checking default installation paths
- Allowing sites to exploit system vulnerabilities (e.g., C:\con\con in Windows 95/98)
- Allowing sites to detect browser preferences or read sensitive data
Unless you use one of the following workarounds, the blocked hyperlink simply will not work.
Using an Extension
The LocalLink extension allows overriding the security check per click: links to local pages can be followed using the context menu for the link.
The IETab extension allows you to open Firefox tabs with IE content. Since IE is able to browse local file systems, this can be used to open local links.
You can even use "Open Link in Ext.App." from the context menu to open a real Windows Explorer window.
Disabling the Security Check
If you are willing to accept the possible risk of linking to local content, you can override the security policy.
Note: If you are using the NoScript extension, the user_pref approach as described below does not work, NoScript overrules the checkloaduri configuration. Instead, it is possible to allow local links (
file://) in your NoScript Options ("Advanced -> Trusted -> "Allow local links").
Firefox 1.5, SeaMonkey 1.0 and newer
In the most recent versions of these browsers, the old global preference has been removed. Instead, the
checkloaduri preference has been combined with the CAPS interface so you can change the setting on a per-site basis with Security Policies. For example, to allow a certain domain to bypass the
checkloaduri restriction, this could be added to user.js or prefs.js:
The line with
capability.policy.localfilelinks.sites can have multiple websites separated by spaces, like so:
(Naturally, you would replace http://www.example.com and http://www.example.net with sites you wanted to allow access.)
Site names must be listed as in the above example: the protocol (http://) followed by the domain name (www.example.com) followed by, if necessary, a port number (:8080). They should not include the final / or anything else from the path part of the URL.
Thunderbird 1.5, SeaMonkey 1.0 and newer
To enable opening file links you receive in e-mails, follow the example for Firefox 1.5, but with the user.js file in your Thunderbird profile. In the
capability.policy.localfilelinks.sites entry, for POP3 enter
mailbox://mail.example.com, or for mail on your system, simply
mailbox://. For IMAP, use
imap://mail.example.com. You may need to include your username or the port number. Something like (for IMAP):
or, for POP mail:
capability.policy.localfilelinks.sites pref. Note that  implies that a rule with protocol
mailbox: should allow mail in your pop3 mailbox to contain
file: links, however it seems necessary to include in the rule the hierarchical symbol:
You also need to use proper URI syntax for local file references. It is not proper to enter an operating-system-specific path, such as
c:\subdir\file.ext without converting it to a URI, which in this case would be
file:///c:/subdir/file.ext. In general, a file path is converted to a URI by adding the scheme identifier
file:, then three forward slashes (representing an empty authority or host segment), then the path with all backslashes converted to forward slashes.
If you're linking to a file in a UNC path (e.g.,
\\servername\share\file.ext), you will need to specify the path thusly:
Also note that you cannot link to
file://///servername to get a listing of shares at that hostname due to a bug.
Related bug reports