[whatshisface]

>Local files can no longer access other files in the same directory.

What impact will this have on web development without a web server? It sounds like you won't be able to load CSS or JS.

[stevekemp]

This bit me. I store my bookmarks as a file under revision control. I have a "bookmarks.js" file, and which is loaded via a local index.html file. There is some javascript magic for filtering, searching etc.

As of today's upgrade opening file:///home/skx/bookmarks.html no longer loads the JS/data. Breaking the system:

https://github.com/skx/bookmarks.public

Adding a local webserver is fine, but it's a complication I'd managed to avoid.

For reference this is the error I get:

> Cross-Origin Request Blocked:

> The Same Origin Policy disallows reading the remote resource at

> file:////home/skx/bookmarks.data.

> (Reason: CORS request not http).

[photon-torpedo]

So distributing documentation for offline use as a bunch of HTML + CSS files will now run into problems?

[bzbarsky]

If it's just HTML + CSS and no script, everything will work correctly.

The release note refers to script access (XHR, DOM access across windows).

[photon-torpedo]

I see, thanks. The linked release notes make it sound like the block is for all files.

[Wehrdo]

For what it's worth, I'm still able to open and use Doxygen HTML docs without running a web server. Looks like it loads both CSS and JS. So I'm not sure what the changenote actually means.

[bzbarsky]

The changenote is talking about access from script.

Script running in a page loaded from file:// will not be able to access the DOM or text of any other file:// URLs, other than the one it's running in.

[kijin]

That makes sense, because so much security nowadays depends on keeping origins separate. It's hard to tell whether any given file:// URL belongs in the same origin as another file:// URL. Better treat each file:// URL as its own origin.

[zamadatix]

CSS/JS imports in the HTML are ignored. Hyperlinks are links not file loads in the page. It means you can't load e.g. access a file via script (e.g. a JSON file in the directory, directly at least).

[rocky1138]

Most web languages include a simple web server you can start with one command from any directory.

php -S localhost:8080

[LoSboccacc]

if it's the same as chrome the document would be able to load resources trough link and script, only xhr would not work, in case of a simple page statically loaded it should keep working but stuff like phaser.js would not be able to load assets

[vermilingua]

Worse comes to worst it’ll be a toggleable flag, but it is still annoying.

[bzbarsky]

It's a toggleable flag, yes. The "privacy.file_unique_origin" preference controls the behavior.

[nerdponx]

That would be nice. Leave it off by default for most people, let developers turn it on if they really want it.

[swiley]

Personally I run busybox httpd on my laptop anyway just because it's convenient for other things.

Still it's not great.

[leeoniya]

i wrote some offline webapps for my mom with html, css and js. she just opens a local html file on her android tablet. will they stop working?

[bzbarsky]

It depends on what the webapps are doing.

That said, if they work in Chrome right now they will also work in Firefox 68.

[benologist]

You can use software like https://serveo.net to assign a temporary domain to access your local files through a web server.

[llao]

That's not necessary, if you run a local web server then this does not affect you. file:// is for access directly through the filesystem.

[smileybarry]

Currently blocked by Microsoft Defender SmartScreen, probably because the temporary (sub)domains were used as malware domains at some point.

Either way, exposing local files to an internet proxy just to open them in a browser is overkill. Lots of script runtimes come with their own lightweight HTTP servers nowadays. For example, I use Python's with "py -m http.server".

[maxnoe]

python -m http.server

[kabwj]

You’re supposed to use Heroku for HTML development.