Is the file protocol effectively defunct?
It would be extremely useful to me if an intranet server could generate links such as
<a href="file:///shared/customer_info/customer-name">
<a href="file:///shared/customer_info/customer-name/history.ods">
Since it's an internal intranet app, the server and the users' systems share access to the same filestore, so this is sensible.
Unfortunately, Firefox and Chrome have disabled file:// links. The only thing I can do with them is right-click, copy link location, and then paste it into a file manager location bar or even into the browser's own location bar (in which case they work beautifully!)
Is there a documented way to re-enable them on the browser? Preferably, if there are major security issues, selectively, so that only file:// links coming from a server on the local net are acted upon.
(I'm aware that there's a Firefox plugin "Local filesystem links" that provides some of this functionality, but I'd be hesitant about making my employer dependant on it since Firefox has something of a history of breaking plugins. Also most of the users prefer Chrome. )
No the protocol is not defunct, but it is not a web protocol which is primarily what web browsers were designed for. file:// works in IE and Chrome version 55.0.2883.87 but as you said does not work in Firefox. In a Windows environment, the file protocol, while constructed like a web URL is actually just SMB behind the scenes. Its the same as using a UNC path but allows you to use hyper links and display in a browser.
Its primary use case is for local documentation for product installations (usually help files). It allows accessing the documentation via a web browser and usage of hyperlinks within the documentation. It effectively appears to the end user like a web site, while in fact its just local file access.
For intranet or Internet I recommend setting up http links. Though file:// can work to some degree via intranet I do not recommend it. Especially, as you stated, you already have an http server running.
Related
Almost all useful extensions require permission to access and modify all data on a page.
We can't be sure that a chrome extension is malicious in the sense if it's leaking my data or not.
I realise that many extensions which I use for example the great suspender, even though it needs access to all site data, it doesn't need to communicate with outside world.
Is there a way to block specific chrome extensions from making any network requests at all. ( can we block all outgoing/incoming traffic to a chrome extension. )
I can't keep monitoring a extension 24/7 to see when is it leaking data, For all you know it could be leaking once a month.
No, there's no way to block just the network communication of an extension without blocking its site access (aka "host permissions") entirely. That's because a malicious extension can open a tab with its controlling site (or a hidden iframe in the background script) and insert js code as a standard DOM script which the browser will attribute to the page itself so it'll be able to communicate with the site's domain to upload the exfiltrated data.
So, what you can do practically is to protect the most sensitive sites you use from all extensions by adding a local ExtensionSettings policy with runtime_blocked_hosts that contains that site(s). This will prevent all extensions from accessing the entire site either via content scripts or network requests. Example: {"*": {"runtime_blocked_hosts": ["*://lastpass.com"]}}. And if you have an extension you trust then you can relax this rule for that extension by using runtime_allowed_hosts. See the policy link above for more examples.
I need to develop some sort of browser plugin/extension to track search string on some search engine web site, ex: google.com, bing.com.
From the research, for chrome extension, I saw somebody suggest content js is the way to go. Is it true? Is there a cross-browser approach?
You can use Content.JS or any other JS library you like for developing an extension but with only JS library you cannot develop an extension.
There is a specific way for each browser. It contains at least 4 files.
(1) Manifest file (2) HTML file (3) JS file (4) CSS file
You also need to refer browsers object model.
You can refer links below may help you to get more information.
(1) Creating a Microsoft Edge extension
(2) Getting Started Tutorial to create an extension for Chrome
(3) Your first extension for FireFox
To support cross browser functionality, You can try to port your chrome extension to Firefox or MS Edge. To get more information on porting an extension, you can refer links below.
(1) Porting an extension from Chrome to Microsoft Edge
(2) Porting a Google Chrome extension
Note:- You also need to refer policy of each browser to access browsing data of users. It can be possible that all browser has some difference in their policies.
I have an intranet site where we host files and forms.
When someone clicks on a link to a file on Internet Explorer it opens the file from a shared folder on the server so people who have permission can edit it and save changes. Other people have read only permissions.
If a person clicks on the link in a browser other than Internet Explorer it downloads the file instead of opening it from the shared folder.
Is there a way to have other browsers open the file from the shared folder instead of downloading it?
NOTE: I should clarify that in IE I use the file:// protocol and in other browsers I use http:// because file:// does not work.
For read only mode it depends on the browser i.e. Firefox needs some parameters for file uri processing
user_pref("capability.policy.policynames", "localfilelinks");
user_pref("capability.policy.localfilelinks.sites", "http://yourServer1.companyname.com http://yourServer2.companyname.com");
user_pref("capability.policy.localfilelinks.checkloaduri.enabled", "allAccess");
then it should invite you to download or open the document
For read/write access IE is mandatory
I think that has something to do with the content type of the files. Have a look at that answer https://stackoverflow.com/a/11894771/2153744
For Firefox and Chrome there are extensions to override that behavior (LocaLink for Firefox, Locallinks for Chrome). If you control your intranet software installations you could include those potentially unsafe extensions.
But this is not other browsers; just Firefox and Chrome. So, another option (that I've seen being used) is using a signed Java Applet. The downside is the complexity and having the user authorize the applet which needs privileged execution. The upside is that the applet can do anything as it is a privileged local client.
I have an page with some forms. All the links work fine in IE. They open in a new tab nicely when the hyperlink is click by the user; however, I realized that when Chrome is use the link doesn't open. I keep clicking but nothing opens. The only way of opening the file is copying the hyperlink, opening a new tab in Chrome, paste and go.
Form1
Is this something that browser do? Because I tried it with FireFox and doesn't work either?
It there a way of going around? without installing anything in the browser? Because my user loves Chrome.
Thank you in advanced for the responses.
You can't access to files outside your server or "SandBox", sandbox include the files that user push to the browser or to your server.
If the access from browser to a pc files from web pages was possible, it would be a security problem.
The answer is that you can't with your approach and more importantly you shouldn't. Chrome behavior is in fact the right behavior and it protects you from having malicious users and/or scripts accessing your local resources.
The FILE protocol will access local or defined network named resources which will not be available to a remote user that visits the same page. In other words, you may have outsideserver mapped as a network resource/drive but someone else will not (This does not apply to IPs)
Here's what you can do:
Move the code to a server side script(php, asp, etc) and stream the file back out. Found a quick example here on SO. I did not verify it though. Streaming a large file using PHP
Install a webserver on outsideserver and map a new site to the shared folder. You can then reference it via http (http://outsideserver.com/form1.pdf)
Use the below extension for chrome. It will work.
Enable local file links
Below both options are working and tested.
Link 2
Link 3
I am working on a replacement application to a legacy application. Due to certain design limitations of the legacy application, 'attachments' are stored as a String path in our database (generally files stored on a windows shared drive). The legacy application can then 'open' the attachments by opening a windows command shell and executing the given path.
The legacy (Oracle Forms) application is being phased out by a JSF based J2EE web application. The new application needs to be able to 'open' or link to these legacy attachments somehow. Is this even possible? I have attempted to use file:// URLs, but there are lot of caveats with using them. They only work on remote hosts in IE, firefox/chrome (and other modern browser I assume) prevent local file URLs.
Working only on IE is something that can be lived with for this particular feature. I further ran into an issue with file paths with spaces. For some reason if IE encounters a filepath with spaces in it, say
C:\Documents and Settings\user123\My Documents\testing\someFile.txt
it refuses to open that link. The browser automatically replaces the spaces (' ') with its URL Encoded '%20'.
The associated link I am attempting looks like:
link
Is there something simple to this I am missing? Or is there any easier way of doing this?
I wasn't quite sure what to tag this as so feel free to retag as necessary.
After some extensive testing I have reached the following conclusions:
Only IE will open file:// links that are on a page from a remote host, Other browsers will block them outright and nothing will happen when a user clicks on them.
IE will only open file:// URLs that point to a file that resides on a network drive
If a user clicks on a file:// link pointing to a file on the user's local drive, nothing will happen and they will get no error.
If a user clicks on a file:// link that points to a network file it will open in the browser, if possible.
If the file:// url points to an invalid location (unmapped network drive, file on a network drive that doesn't exist), Windows will show a popup error.
Spaces in the file path needs to be URL encoded with %20
Hopefully this helps someone else out who's looking for information on file urls.
If you use double quotes (") around the path to the file (you will probably need to URL encode these as %22), windows will be OK with the full path:
link