Access to other local files from a local HTML file

Question

I tried this question on programmers site with no luck

Do you see any reason to block a local html file from accessing another local files located in the same folder?

I mean, if a user downloaded an html app (consisting of several html files) and opened it in her browser, why would she want to block this local app from accessing another files in the same folder? Traditional desktop apps have much broader access rights. Normally users won't save html files and open them in a browser. Why block local access?

Answer 1

The actual rules of which files a local html file may access are browser depended. Chrome is a lot stricter than other browsers. Firefox allows access to files in the same folder and down the folder hierarchy as far as I remember.

Ordinary people with little in-depth background knowledge may save a html file with a cooking recipe, a book extract, a travel guide, etc. to their home folder. They don't except such a document to be dangerous. Keeping that in mind, it seems sane, to prevent saved .html files from accessing other local files.

To quote someone on the referenced bug report:

who cares if a webpage can read your credit card numbers by blinding guessing filenames in your profile directory, it can't actually do anything with them if access to internet resources is properly restricted.

The condition in the "if" part is not met: The same origin policy does not apply to image files and scripts loaded via the script tag, to name just two examples. So a locally running JavaScript can leak information to a server on the internet by encoding it in an URL.

Especially saving to the home folder is problematic, because at - least on unix systems - there are well known files with sensitive information such as: mbox, .gnupg/secring.gpg, .ssh/id_rsa, .ssh/id_rsa.pub.

Providing an installationless local http server is a workaround for this issue.