Are there any know browsers that support file URL redirection?

Question

I've been addressing an open-redirect issue and in experimenting with the latest fix, I noticed that updating the redirect's protocol to file resulted in a blank page on the browser.

That is, redirect.aspx?url=file://legitimate-site.com results in a blank page. Other protocols like madeup:// get the error page suggesting there is a generic URL processor that says "these protocols are okay" and the browser or the proxy is blocking the malicious redirect.

Obviously, I want the team to limit redirection to just "http" and "https" but I'm curious as to if there are any browsers that perform redirects to local files or if this is a security hole that has been closed for a while. A quick search has yielded just a few "doesn't work" answers but nothing official.

Answer 1

Generally speaking, no, a website cannot redirect the browser to a file: URL. This is due to special restrictions imposed by browsers on use of file: URLs.

(Redirecting to a local file: URL would be mostly harmless, but this is a better-safe-than-sorry situation. It is mostly harmless, because the user is shown the contents of the file in their browser window, but the contents of the file never leave the user's computer and are not sent to the web server, so no harm is done. However, there are some cases where it could pose some risk, so browsers block redirection to file: URLs, just in case. See references below for details.)

To learn more, see the Browser Security Handbook. The Browser Security Handbook should be your standard go-to reference for information about security-related browser behavior.

And sure enough, it covers your question. See, for instance, its sections on URL scheme access rules and Redirection restrictions for information about what kinds of uses of file: URLs are and aren't allowed by browsers.