Links to local pages do not work

From MozillaZine Knowledge Base
Revision as of 17:18, 16 January 2009 by Bernhard Kaindl (talk | contribs) (→‎IE Tab: Add Link to the addons.mozilla.org site of IE Tab)
Jump to navigationJump to search

For security purposes, Mozilla applications block links to local files (and directories) from remote files. This includes linking to files on your hard drive, on mapped network drives, and accessible via Uniform Naming Convention (UNC) paths. This prevents a number of unpleasant possibilities, including:

  • Allowing sites to detect your operating system by checking default installation paths
  • Allowing sites to exploit system vulnerabilities (e.g., C:\con\con in Windows 95/98)
  • Allowing sites to detect browser preferences or read sensitive data

Using an Extension

LocalLink

The LocalLink extension allows overriding the security check per click: links to local pages can be followed using the context menu for the link. LocallLink is also hosted on the mozilla add-ons site.

IE Tab

The IETab extension[1] allows to open Firefox tabs with IE content. Since IE is able to browse local file systems, this can be used to open local links.

You can even use "Open Link in Ext.App." from the context menu to open a real Windows Explorer window.

Disabling the Security Check

If you are willing to accept the possible risk of linking to local content, you can override the security policy.

Note: If you are using the NoScript extension, the user_pref approach as described below does not work, NoScript overrules the checkloaduri configuration. Instead, it is only possible to globally allow or disallow file://-links, but directly thru changing a setting in the NoScript settings window. To open the NoScript Settings window, select from the Menu: "Extras"->"Addons"->"Extensions"->"NoScript"->"Settings" and in the NoScript settings Window, select the "Advanced" tab, then in it, select the sub-tab "Trusted", and in it check the checkbox "Allow local links"!

Firefox 1.5, SeaMonkey 1.0 and newer

In the most recent versions of these browsers, the old global preference has been removed. Instead, the checkloaduri preference has been combined with the CAPS interface so you can change the setting on a per-site basis with Security Policies. For example, to allow a certain domain to bypass the checkloaduri restriction, this could be added to user.js or prefs.js:

user_pref("capability.policy.policynames", "localfilelinks");
user_pref("capability.policy.localfilelinks.sites", "http://www.example.com");
user_pref("capability.policy.localfilelinks.checkloaduri.enabled", "allAccess");

The line with capability.policy.localfilelinks.sites can have multiple websites separated by spaces, like so:

user_pref("capability.policy.localfilelinks.sites","http://www.example.com http://www.example.net");

(Naturally, you would replace http://www.example.com and http://www.example.net with sites you wanted to allow access.)

Site names must be listed as in the above example: the protocol (http://) followed by the domain name (www.example.com) followed by, if necessary, a port number (:8080). They should not include the final / or anything else from the path part of the URL.

Firefox 1.0.x, Mozilla Suite 1.7.x, and older

In Firefox 1.0.x and Mozilla Suite 1.7.x and below, this is an all-or-nothing option: the check is enabled for all sites, or it's disabled for all sites.

Type about:config into the Location bar and hit Enter. Find the entry for security.checkloaduri and change its value to false by double-clicking it. Then, restart your browser.

Thunderbird 1.5, SeaMonkey 1.0 and newer

To enable opening file links you receive in e-mails, follow the example for Firefox 1.5, but with the user.js file in your Thunderbird profile. In the capability.policy.localfilelinks.sites entry, for POP3 enter mailbox://mail.example.com, or for mail on your system, simply mailbox://. For IMAP, use imap://mail.example.com. You may need to include your username or the port number. Something like (for IMAP):

user_pref("capability.policy.policynames", "localfilelinks");
user_pref("capability.policy.localfilelinks.sites","imap://username@mail.example.com:143");
user_pref("capability.policy.localfilelinks.checkloaduri.enabled", "allAccess");

or, for POP mail:

user_pref("capability.policy.policynames", "localfilelinks");
user_pref("capability.policy.localfilelinks.sites","mailbox://");
user_pref("capability.policy.localfilelinks.checkloaduri.enabled", "allAccess");


If it's not working, turn on the JavaScript Console, click a link in an email, and look at the error message. It will tell you what path it's trying to access. Enter the first part of that path, up to and including the port number, in the capability.policy.localfilelinks.sites pref. Note that [2] implies that a rule with protocol mailbox: should allow mail in your pop3 mailbox to contain file: links, however it seems necessary to include in the rule the hierarchical symbol: mailbox://.

Path Syntax

You also need to use proper URI syntax for local file references. It is not proper to enter an operating-system-specific path, such as c:\subdir\file.ext without converting it to a URI, which in this case would be file:///c:/subdir/file.ext. In general, a file path is converted to a URI by adding the scheme identifier file:, then three forward slashes (representing an empty authority or host segment), then the path with all backslashes converted to forward slashes.

UNC Paths

If you're linking to a file in a UNC path (e.g., \\servername\share\file.ext), you will need to specify the path thusly:

file://///servername/share/file.ext

Also note that you cannot link to file://///servername to get a listing of shares at that hostname due to a bug.

See also

External links