All I want to do with a browser that I can't do normally is disable CORS. Which genius decided that a webserver on localhost was infinitely more trustworthy than a file:// url?
You two have this entirely backwards. It’s the Same-Origin Policy that is stopping you from doing what you want. CORS is a way of loosening up the security to make more things possible. CORS doesn’t – and can’t – stop you from accessing anything. If you “disable CORS” in your browser, guess what? You’re going to be able to access less stuff.
This is needlessly pedantic, and you know it. The same-origin policy makes lots of things a real pain in the ass, and that there is no escape hatch for those times I know that there are some missing headers on my responses doesn’t make sense.
What OP obviously meant was a way to disable same origin policy checks.
It isn’t anything of the sort. If they think the problem is CORS, they are going to put all their effort into trying to figure out how to disable CORS. This will not help them in the slightest. What they want, in effect, is to have a configuration that is as if CORS is on all the time, which they would never think to do if they think it’s CORS stopping them from doing what they want.
> What OP obviously meant was a way to disable same origin policy checks.
Yes, and they showed absolutely no knowledge of the fact that the SOP even exists. They think it’s CORS doing it. Pointing out this is backwards and pointing out what is actually causing their problem is helpful, not pedantic.
Congratulations on figuring out what I meant by a simple one line frustrating comment I made while I was walking to the toilet where I couldn't be bothered to set up a 2 paragraph explanation of precisely what I was talking about.
Are you still referring to accessing a file:// resource? Wouldn’t it be enough to run “python -m http.server 8000” in the desired directory? This sounds simple and quick to me. Or am I missing something?
I ran into some of these concerns when working on a sandbox feature where users select their own files to use in an iframe.
Once in production, sometimes you want the user's browser to serve these local files to itself, from blobs and/or the local file system, meaning a server or CLI isn't feasible.
This should be better from a privacy standpoint since files stay completely client-side, but CORS difficulties end up encouraging developers to push files to the server at least temporarily instead.
> This should be better from a privacy standpoint since files stay completely client-side, but CORS difficulties…
Isn’t this privacy tradeoff directly at odds with security? i.e. local access would also open the door to malicious sites accessing the local file system?
I can understand the dev-time frustration with CORS, but removing it just reintroduces a whole category of security issues.
Maybe there is something better, but whatever replaces it would need to include similar restrictions.
>Isn’t this privacy tradeoff directly at odds with security? i.e. local access would also open the door to malicious sites accessing the local file system?
Look at docker for analogy. Sometimes you just need a volume to use locally, but you don't necessarily need to access files that already exist. Consider the use cases of /tmp/ as well, for instance.
This sounds unrelated to the use case described by the parent, in which they want to serve specific files that exist.
But setting that aside, bypassing CORS to achieve this seems analogous to unlocking your front door/gate before leaving for the day in order to grant access to a delivery driver.
It’ll work, and the driver can deliver your package, but it’ll also let random and potentially malicious passers-by into your home without restriction, so who knows if your home will be intact when you return. A theoretically functional solution that doesn’t really work in the real world.
Some other solution that behaves more like a temporary file store sounds better, but the tradeoff I mentioned is specifically about CORS.
In the case I was referring, we loaded files as blobs in the browser's local storage, allowing us to run a web worker as a persistent local cache server.
This involved managing Firefox's admirable response doctoring policies, though.
All other browsers would let a web worker modify the incoming response to a request before forwarding it to an iframe, but FF absolutely refused it and required that the modified response get constructed anew in its local context, meaning locally created or injected content could not be mistakenly trusted as origin content.
Not everyone has Python or any other web server installed and being able to just double-click an HTML file and access all the web features without any online or native component would unlock so many new use cases.
This is perfectly fine for trusted sites, and I've used it a lot in the past for a few, but it disables cors for everything, and that's a bit too much.
What I want is unrestricted access for my code, and that the sites keep the sandbox.
What I do nowadays is start a server that has basic auth and zero cors, that I can send commands to from my scripts, like, fetch me this resource without cors, or download this to this folder, etc.
This goes a lot farther than disabling CORS checking: it turns off all same origin policy enforcement.
So, ex, if site A opens a tab on site B (and so gets a reference to it), site A can read and modify anything on that page. Or, ads loaded in cross-origin items could read and modify anything on the containing page.
It's fine for testing, but don't log into any real accounts in this profile!
Even more ridiculous is the HSTS requirement for localhost, which inspired me to share the techniques in https://github.com/ip2k/I-Dont-Care-About-HSTS-For-Localhost for automating a bit of the frankly ridiculous and idiotic process required to work around this. Who the heck needs a REAL SSL cert for local web dev, and why is it so hard to permanently override that?!
You can disable this by running Chrome with —-disable-web-security. If you only need this to access local files, you can do —-allow-file-access-from-files
Even more ridiculous IMO is the requirement for a REAL AND VALID SSL CERT for localhost. I made https://github.com/ip2k/I-Dont-Care-About-HSTS-For-Localhost to share some of the frankly ridiculous techniques required to work around this in temporary and more permanent ways.
Forced HSTS, Certificate Transparency checking and limiting key features to "secure contexts" (including the way those are defined) were truly the worst decisions in recent web history...
A local webserver doesn't allow you to open every file on your file system, and there's no guarantee that a particular ip address is a local web server. If you really need it, run python -m http.server in /. That starts a local file server at port 8000.
