web: Only show file fetch error after fetch fails on file protocol #21883
Conversation
danielhjacobs
added
A-web
| url | ||
| } | ||
| } | ||
| Ok(url) => url, |
There was a problem hiding this comment.
This change is to navigation and not fetch, but I guess still fine.
There was a problem hiding this comment.
Yeah, I noticed that, but still I thought similarly it doesn't make sense to error this early considering security.fileuri.strict_origin_policy exists in Firefox (whether or not it's advised to use).
There was a problem hiding this comment.
Actually, you don't even need to use that.
If you put the ruffle JS and WASM files and the SWF file on a server with an appropriate Access-Control-Allow-Origin header, like a Github Pages site, your HTML can be on the file protocol, embedding the SWF file from the server, while using the script tag for the build of Ruffle from the server, and if you click a link in the SWF that goes to a different relative URL on the file protocol, it will hit this code path with current Ruffle, or with a build built from this PR, it will instead work fine. That is regardless of any about:config changes.
There was a problem hiding this comment.
As for the safety of removing this code path, I suppose it's a matter of potential debate. I can see an argument for its similarities to https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11730, but on the other hand that CVE was more about the ability to read arbitrary files on the file protocol, not just redirect to them.
There was a problem hiding this comment.
Embedding web content from file: is not a good idea, but I don't think we really need to worry about that? Running stuff on your computer is always more dangerous than going to a web page.
2 participants
No description provided.