Problem: Firefox security model breaks JavaScript Image Preview functions

Some background. Running this example from the local file system (for example, from the address "c:\test.htm" instead of "http://myserver.com/test.htm") will allow the image preview to work, because it doesn't violate any security rules as interpreted by the Firefox browser. But, the same is not true when running it through HTTP. Here are my notes while learning about and trying to correct this problem. Any input is welcome. contact me here.

To test this...

  1. View source
  2. Save the file to your local file system (ex: C:\TEST.HTM)
  3. Visit the file in your browser (ex: C:\TEST.HTM)
  4. Try the image examples. (The localhost preview should work now.)

However, running the example from a web server, trying to preview an image from a local drive in your computer will result in the following error/warning...

"Security Error: Content at http://a.tballard/testing-firefox-image-preview-from-local-drive.htm may not load or link to file:///C:/Data_LT/pix/cool_template_basis.gif." (to see the error, visit "javascript:" in the address bar)

To test this...

  1. Try the image example below as you are probably already viewing this via http

Solutions?

Well, unfortunately nothing fast and easy. Here are some things to try.

I. During development....

  1. 1. Visit the URL "about:config" in Firefox
  2. 2. Search (aka "filter") for "checkloaduri"
  3. 3. Double-click that setting to change.
    A value of "true" (default) means http:// protocol pages cannot request localhost paths.
    A value of "false" will permit this to function.

    (Obviously this is not a solution... you do not want your visitors opening themselves to browser exploits)

II. Code Signing...

Since I was in a time crunch, I bailed on trying to understand this solution after 30 minutes of back and forth. Frankly, for the current single digit percentage of traffic that Firefox represents, this just isn't worth it. (And I love Firefox... it's my default browser.) IE clearly wins on the convenience front, even if that comes with some serious security related baggage. My personal preference would be a dialog box managed by the browser that said something like "This page is trying to access a local file... do you trust this site to access the file?" and let the user vote either once per page load or if the anally-minded among us want, at each and every occurrence of an attempted access.

Example

IMG OBJECT

Alternate URL (http)

Original URL (http)

File Input (localhost)