webdesign/JavaScript
--allow-file-access-from-files 안정성 문제
yunsoo.note
2022. 7. 8. 17:17
ALLOW LOCAL FILE ACCESS IN CHROME (WINDOWS)
You’ll most likely need to run this with at least admin access, and I would caution visiting unknown sites with this setting on, as they could capitalize on your setting and potentially read local files.
Update, see my newer post on using node and http-server to create a local web server to get around these issues:
Local web server for testing / development using Node.js and http-server
During development, to allow the Chrome browser to reference locally stored JavaScript and XML style-sheets one must start the browser with the --allow-file-access-from-files switch.
This local file accessibility is not default Chrome behavior for "security reasons", apparently. Exactly what would be the security implications of allowing this?
I can't think of any that aren't contrived!
----------------
basically it means if you save an HTML file locally, this setting allows any JavaScript to read other file:// URIs. If you sometimes run local HTML content (by double clicking a HTML file on your file system), a malicious file could read a file from your local machine and send it over the web to the attacker's site.
There doesn't appear to be any extra security risks in online browsing, as it only seems to affect pages loaded over the file scheme.
Ok, so you're saying that, by default, an HTML document opened in the browser, originating from the local file-system, cannot subsequently refer to another local file. Permitting this means potentially a maliciously crafted HTML + JS page dropped somewhere in your filesystem, when opened in a local browser, could submit the contents of a sensitive local file to an external entity.
Presumably also, a document originating from anywhere, local or web, should not, by default, have any access to local file:/// resources.