MozillaZine

Links to local pages do not work

From MozillaZine Knowledge Base

(Difference between revisions)
Revision as of 16:22, 18 September 2005
Mozcerize (Talk | contribs)
(updated category info)
<-- Previous diff
Revision as of 14:01, 19 September 2005
Asqueella (Talk | contribs)

Next diff -->
Line 1: Line 1:
[[Category:Page display]] [[Category:Page display]]
- +For security purposes, {{Firefox}} and {{Mozilla Suite}} block links to local files (and directories) from remote files. This includes linking to files on your hard drive, on mapped network drives, and accessible via UNC paths. This ''prevents'' a number of unpleasant possibilities, including:
-For security purposes, [[Mozilla Firefox]] and [[Mozilla Suite]] block links to local files (and directories) from remote files. This includes linking to files on your hard drive, on mapped network drives, and accessible via UNC paths. This ''prevents'' a number of unpleasant possibilities, including:+
* Allowing sites to detect your operating system by checking default installation paths * Allowing sites to detect your operating system by checking default installation paths

Revision as of 14:01, 19 September 2005

For security purposes, Firefox and Mozilla Suite block links to local files (and directories) from remote files. This includes linking to files on your hard drive, on mapped network drives, and accessible via UNC paths. This prevents a number of unpleasant possibilities, including:

  • Allowing sites to detect your operating system by checking default installation paths
  • Allowing sites to exploit system vulnerabilities (e.g., C:\con\con in Windows 95/98)
  • Allowing sites to detect browser preferences or read sensitive data

Contents

Disabling the Security Check

If you are willing to accept the possible risk of linking to local content, you can override the security policy.

Firefox 1.0.x, Mozilla 1.7.x, and older

In Firefox 1.0.x and Mozilla 1.7.x and below, this is an all-or-nothing option: the check is enabled for all sites, or it's disabled for all sites.

Type about:config into the Location bar and hit Enter. Find the entry for security.checkloaduri and change its value to false by double-clicking it. Then, restart your browser.

Firefox 1.5, Mozilla 1.8, and newer

In the most recent versions of these browsers, the old global preference has been removed. Instead, the checkloaduri preference has been combined with the CAPS interface so you can change the setting on a per-site basis with Security Policies. For example, to allow a certain domain to bypass the checkloaduri restriction, this could be added to user.js:

user_pref("capability.policy.policynames", "localfilelinks");
user_pref("capability.policy.default.checkloaduri", "noAccess");
user_pref("capability.policy.localfilelinks.sites", "http://www.example.com");
user_pref("capability.policy.localfilelinks.checkloaduri", "allAccess");

The line with capability.policy.localfilelinks.sites can have multiple websites separated by spaces, like so:

user_pref("capability.policy.localfilelinks.sites", "http://www.example.com http://www.example.net");

(Naturally, you would replace http://www.example.com and http://www.example.net with sites you wanted to allow access.)

Path Syntax

You also need to use proper URI syntax for local file references. It is not proper to enter an operating-system-specific path, such as c:\subdir\file.ext without converting it to a URI, which in this case would be file:///c:/subdir/file.ext. In general, a file path is converted to a URI by adding the scheme identifier file:, then three forward slashes (representing an empty authority or host segment), then the path with all backslashes converted to forward slashes.

UNC Paths

If you're linking to a file in a UNC path (e.g., \\servername\share\file.ext), you will need to specify the path thusly:

file://///servername/share/file.ext

Also note that you cannot link to file://///servername to get a listing of shares at that hostname due to a bug.

See also

External links