why browser doesn't allow rendering local file - javascript

I was using PDF.js , good to know another plugin finally developed using JS. Another step toward that famous quote " if sth can be implemented using JS, eventually it will be implemented using JS".
I tried right away to open a local DEMO page, but it didn't work. and the introduction on PDF.js page indicated that some browser ( in my case: chrome ) don't allow open PDF file under URL file:///a.pdf
is this because of some security concerns ?

If it's using ajax to load the file, yes, it's the browser's interpretation of the Same Origin Policy. Some (most?) browsers don't allow ajax access to file:// origins, even from documents loaded from file:// origins.

Related

Is there any alternative way to load external site's content in our angular web app?

I used a iframe to load a external sites but some of the sites are not load due to a security header x-frame-options:[deny/sameorigin] .
Is there any alternative way to load any external sites in our app.
In a single sentence, it is impossible to make it work with all the external sites within your html using security compliant browsers.
You can try calling an ajax call, get data and use innerHTML to upload content. But it requires CORS enabled on the external site and also actions might not work as you only load html content. Angular might block innerHTML, you might need to relax that exception as well in angular.

How to load an html into another html without security warnings

I'm loading (locally) an html into another html using jquery's load command.
However I'm getting the:
XMLHttpRequest cannot load file://path/newcontent.html. Cross origin requests are only supported for protocol schemes: http, data, chrome-extension, https, chrome-extension-resource.
newcontent.html:
<div>
New Content
</div>
index.html
<div id='putnewcontenthere'>
</div>
I'm using this command:
$("#putnewcontenthere").load("newcontent.html", function() {
//load was performed
});
Now I'm doing this locally without a webserver AND I want to be able to do this "safely" without security warnings AND I don't want to start chrome with disabling security.
I don't need to necessarily use this 'load' command. If there's any other 'hack' my ears are open to any ideas. I'd just like it to work similarly but without security warnings.
Basically, I have a file (locally) and this index.html file is an application that has many screens. I can basically put EVERYTHING into my .html file (and hide/show divs), but I don't want to do this. I want to have a different .html for each one of my screens and load it into the main file programmatically. Is it possible?
(Also, I don't want to use javascript and put my htmls into a string mainly because I want these various htmls to be easily editable.)
Any suggestions?
NOTE: I can't use this as a webserver b/c I'm using this in a Phonegap App which isn't a webserver it's simply static content. I guess I could tweak the phonegap settings to allow .load() to take place, but I want to see if this is possible using plain html and standard security first
NOTE#2: I just realized I can do this successfully (use load()) with phonegap. But I'm leaving this question open if there's a way to do it using file:// on desktop with no security warnings.
Maybe you can use html imports .
Here is a good explanation about they: http://www.html5rocks.com/en/tutorials/webcomponents/imports/.

is it possible to block requested webpage in a firefox browser through addon?

I am developing a firefox addon(using Add-on Builder), which compares the requested webpage content with suspicious webpage content and block the webpage(if it matches).
But i am not getting the blocking a requested webpage (expecting, before full loading) in browser through my addon code.
some solutions, like GoogleSafeBrowsing (not an addon), blocking the webpage and displaying the malware domain names and etc. how it is possible to display the suspicious content before loading webpage and blocking the webpage from loading.
i need a mechanism (with addon or without addon). any help.......
Thanks,
update:
i need this mechanism programitically in javascript (like, if(match){window.close()}.....like that)
You should look at using a lower level Firefox api called nsiContentPolicy - it is possible to use this with the SDK as detailed in this blog post:
http://lduros.net/posts/blocking-images-and-other-content-mozila-add-sdk-and-nsicontentpolicy/

Unsafe JavaScript attempt to access frame in Google Chrome

Our web application (based on HTML5, SVG & JS) runs fine in all the browsers except Google Chrome.
In Google Chrome, the normal javascript events run fine, however, all the javascript events attached to the iFrame are not executed. We get the error in the console:
Unsafe JavaScript attempt to access frame
At the moment, the application is locally hosted and this problem cropped up during inhouse testing.
Googling this brings up lots of posts but none suggests any concrete solution. Any suggestions?
As an additional security measure, Chrome treats every "file" path as its own origin rather than treating the entire "file" scheme as a single origin (which is what other browsers do). This behavior applies only to "file" URLs and you can force Chrome to revert to a single local origin (like other browsers) by passing the --allow-file-access-from-files switch at startup.
You can find more information on the risks associated with local origins described here: http://blog.chromium.org/2008/12/security-in-depth-local-web-pages.html
Please make sure that both the iframe and main page are using the same protocol (i.e. both https or both http, but not mixed) and are on the same domain (i.e. both www.example.com and not example.com and dev.example.com). Also there's the possibility that something tries to use the file:// protocol, which will also cause this message.

XMLHttpRequest.open, does it work on remote websites?

I'm a bit confused about this.
Does XMLHttpRequest work on a remote URL or does it have to be a local file? There seems to be mixed information on the net.
According to w3.org: The XMLHttpRequest object can be used by scripts to programmatically connect to their originating server via HTTP.
But I've seen it used to access non-local web pages (in vista gadgets for instance for rss feeds) without using a proxy...
Enlighten me please!
It depends on the environment. If you run your JavaScript on a regular web page, XMLHttpRequest won't be able to connect to any other site. (That's what w3.org says, and browsers do implement this restriction.) However, in some contexts (such as Vista gadgets and Greasemonkey), it it possible to connect to any site in an AJAX request.
On a standerd web page you cant however in an app with authorised permissions you can such as a chrome extension with the permission "http://*" set. In my opinion this is a stupid restriction for normal web pages any damage/harm that can be done with it could be done using an iframe and the browsers refuse to disable them (long over due in my opinion).

Categories

Resources