Why local links are disabled by default in modern browsers?
I'm having a hard time trying to make my local files accessible to javascript (for opening in a new window) from Chrome, and already found a workaround in Firefox. My question is: why javascript cannot open a file in a new browser window (with window.open) by default? I cannot see any security issues with this.
The only thing I'm reading everywhere on this topic is: "Web sites should not have access to my disk for reading files." But javascript actually can't possibly read the content of the files because of the Same-origin policy. You can test it as below.
For example, in the settings of NoScript you can choose Advanced->Trusted and mark "Allow local links". Now open Firefox console and execute (you should allow pop ups for this):
x = window.open('file:///%some_path_to_text_file%')
x.document
I'm getting 'Error: Permission denied to access property "document" [Learn More]'. So, what's the deal? Is it safe to keep option "Allow local links" in NoScript all the time?
