tags:

views:

891

answers:

2
+1  Q: 

How do I bypass a same origin policy violation for one local file to another?

I'm trying to semi-recreate Mozilla's demo usage of JavaScript + <video> + <canvas> with files that aren't hosted on a server.

Loading my document causes the error console to report this error:

Error: uncaught exception: [Exception... "Security error" code: "1000" nsresult: "0x805303e8 (NS_ERROR_DOM_SECURITY_ERR)" location: "file:///media/disk/javascript/html5/chromakey/chromakey1.htm Line: 23"]

Here's line 23:

this.referenceImageData = this.bCtx.getImageData(0, 0, this.bufferCanvas.width, this.bufferCanvas.height);

It's trying to get the image data from a canvas to which I previously copied a frame of video like this:

this.bCtx.drawImage(this.inputElement,
    0, 0,
    this.inputElement.width, this.inputElement.height,
    0, 0,
    this.bufferCanvas.width, this.bufferCanvas.height
);

Where this.inputElement references this (fairly boring) element:

<video id="MainInput" src="320x240.ogg" width="320" height="240"></video>

Is there any way to get past this error without signing my code with a JAR?

I think it has to do with Firefox's same origin policy (https://developer.mozilla.org/en/Same_origin_policy_for_JavaScript) having an issue local file access, but I can't figure out where to go from there.

A: 

You need to access the file from the same origin, and I think that the file:// protocol is very restricted for obvious security reasons.

Only extensions could access these files, with more privileges.

Fabien Ménager  2009-06-24 21:59:47
+1  A: 

From the filesystem, each file is in a different origin (this prevents accessing e.g. /etc/passwd –let's say using an XMLHttpRequest or an iframe, and then pass data to some server on the Web using the query-string when loading an <img> or automatically sending a form though javascript). See http://tools.ietf.org/html/draft-abarth-origin (it talks about "implementation-defined value", and the easiest is to have a distinct origin per file)

The easiest way to workaround your issue is to run an HTTP server.

There might be a solution using Firefox's "per-file permission" but I'm not sure it's really worth it given how cheap it is to run a local HTTP server... (YMMV)

Thomas Broyer  2009-06-25 10:31:16

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security