I recently encountered a web page containing the following line of markup:
<script src="resource://ember-inspector-at-emberjs-dot-com/ember-inspector/data/in-page-script.js"></script>
Note that the scheme in the URL is 'resource' and that the URL is not for something that can be reached over the Internet.
This is not a URL scheme that I have previously encountered. Despite some searching on the matter, I can't find any information regarding the use of this scheme.
What is the purpose of the 'resource' scheme? If I were a browser, what would I do with this?
The resource: URI scheme is exclusive to Firefox and was registered with Firefox v3.
It's used internally, related to chrome.manifest.
In Firefox enter this in the address bar and navigate to it..
resource:///
You should find a directory structure of your local Firefox user profile.
Background
Mozilla has multiple URI-schemes registered. Of these include resource: and chrome: (the latter, being more commonly familiar)
A Chrome directory is an important part of any Firefox installation. Inside the Chrome directory there are data files, documents, scripts, images, etc.. all of these files comprise the user interface elements and local user data.
But a chrome:// URI is actually just a special case of the lesser known resource:// URI which points to the top of the platform installation area. All paths in the chrome directory must begin with resource: or jar:
Info found in Rapid Application Development with Mozilla written by Nigel McFarlane
Specific use-case.. Emberjs
For the specific case you referred to, you can find more details here: https://github.com/emberjs/ember-inspector/issues/82
Issues
We allowed accessibility for resource:/// which pointed at the
installed on-disk resources that came with Firefox. I don't know if we
supported alternate resource aliases at the time, but I'm sure add-ons
weren't using them and that we didn't support resource aliasing in
chrome.manifest (which didn't exist).
When we introduced resource into chrome.manifest we should have added
the option contentaccessible=yes mechanism at the same time: let
add-ons opt-in to fingerprintability just as we do with chrome
content. Unfortunately anything we do may have compatibility problems:
searching addon source I find 810 chrome.manifest files that define
custom resource:// locations. One reason for so many is because it's
used by JetPack addons so I'm somewhat hopeful that most of those
don't need to reference these from content.
Quoted from Reference 2 below.
The only reason extensions would need to use resource: is to make things available to web content.
Quoted from Reference 2 below.
Directly from Mozilla
I had a really hard time finding any mention of resource:// in any documentation by Mozilla, IANA, or W3C. This is the one and ONLY direct mention of the definition of resource: that I could find published directly from Mozilla. It was so obscure I took a screenshot :)
Further Reading:
Bugzilla report on resource:// security vulnerability
Another Bugzilla report (source of quote above)
IANA resource:// Resource Identifier provision
IANA Complete List of URI-Scheme Assignments
Related
Does using Chrome v.63 force use of https?
I am running Apache 2.4.27 on a Windows 10 desktop as a sandbox where I can experiment and do some tutorials. I have a virtual host setup called www.tutorial.dev with an alias of tutorial.dev. In the Windows 10 hosts file I have set up www.tutorial.dev and tutorial.dev to point to localhost.
As of yesterday the url http://tutorial.dev/Bootstrap4FromScratch/ was working normally. In this case providing a directory listing as a jump off point into various examples and exercises. Today, when I type in the url Chrome changes it to https and I get a connection refused message.
I understand the connection refused message. There are no certificates setup.
The only change I can find is that Chrome changed from v.62.x to v.63.x. What in Chrome 63 could be forcing http to https?
I don't have this problem with MS Edge. I tested another similar configuration on a different machine that was in the process of downloading Chrome 63.x. It already had 62.x installed. It worked until the 63.x upgrade was complete then the same problem occurred.
Additional information: If I use http://localhost to bring up the index.html or version.php in the htdocs directory the switch from http to https does not happen. The virtual host www.tutorial.dev resides in another directory outside of htdocs.
If this has been asked and answered please point me to the question/answer thread.
Thanks in advance,
Barry
Google owns the .dev TLD and with Chrome 63 they are forcing HTTPS on all requests to anything.dev
I went through my local dev setup and replaced all references to .dev with .local, works fine now.
Your other option is to use Firefox for local development. .dev now triggers https in FF (since before FF61) with a workaround
Edit (asside):
I have switched to using .localhost for dev as browsers allow navigator.geolocation.getCurrentPosition() (blocked if site is not HTTPS).
Google Chrome 63 update, out December 2017, places .dev domains in the preloaded HSTS list with a rule enforcing HTTPS, no workarounds.
{ "name": "dev", "include_subdomains": true, "mode": "force-https" }
The "only" way is to switch .dev with something else, like .localhost
IETF states a few reserved TLDs for development:
TLDs for Testing, & Documentation Examples
There is a need for top level domain (TLD) names that can be used
for creating names which, without fear of conflicts with current or
future actual TLD names in the global DNS, can be used for private
testing of existing DNS related code, examples in documentation, DNS
related experimentation, invalid DNS names, or other similar uses.
For example, without guidance, a site might set up some local
additional unused top level domains for testing of its local DNS code
and configuration. Later, these TLDs might come into actual use on
the global Internet. As a result, local attempts to reference the
real data in these zones could be thwarted by the local test
versions. Or test or example code might be written that accesses a
TLD that is in use with the thought that the test code would only be
run in a restricted testbed net or the example never actually run.
Later, the test code could escape from the testbed or the example be
actually coded and run on the Internet. Depending on the nature of
the test or example, it might be best for it to be referencing a TLD
permanently reserved for such purposes.
To safely satisfy these needs, four domain names are reserved as
listed and described below.
.test
.example
.invalid
.localhost
".test" is recommended for use in testing of current or new DNS
related code.
".example" is recommended for use in documentation or as examples.
".invalid" is intended for use in online construction of domain
names that are sure to be invalid and which it is obvious at a
glance are invalid.
The ".localhost" TLD has traditionally been statically defined in
host DNS implementations as having an A record pointing to the
loop back IP address and is reserved for such use. Any other use
would conflict with widely deployed code which assumes this use.
PS: .foo is also in the preloaded HSTS list
Thanks everyone for the advice. I ended up going with .tst for now. I have a feeling I'l be switching over (forced?) to .localhost at some point. But for now .tst is less typing.
I have a google chrome extension that crashes after you install it from the webstore. When installed from a local copy the extension does not crash. The crash happens when you click the tool bar icon that is added once it has been installed. The icon is supposed to load a table with URLs. Once restarted all you get is the option to recover tabs. I was hoping someone could help identify the issue of the crash or tell me how to access a crash report to see what is causing the problem.
The extension is located here:
Chrome Store App
Any help or direction will be very appreciated. Thank you
I've looked into your issue, and there are two issues here:
Your extension gets disabled, "This extension may have been corrupted."
Chrome crashes.
The latter is caused by a bug that has been fixed in Chrome 40, so I'll only focus on the first issue.
The first issue is caused by Content Verification, an (experimental) security feature in Chrome that ensures the integrity of extensions from the Chrome web store, by disabling extensions that have become corrupted crbug.com/369895. Corruption is detected by verifying the checksum of a file whenever an extension file is accessed by Chrome (for files referenced in the manifest file: at install-time; for other (embedded) files: when the file is loaded).
Unfortunately, there are some bugs in the implementation that causes extensions to be disabled in the following circumstances as well:
crbug.com/439464 - The spelling of a filename in does not match the spelling of the path. On Windows and some Mac systems, the filesystem is case-sensitive, so during development, you may not notice that the spelling of the filename is incorrect. Content verification is case-sensitive, so it will treat "icon.png" different from (uppercase) "Icon.png".
(This discrepancy in checks is unfortunate, but a good thing: if you use an incorrect spelling in the icons field, then the extension would not load on case-sensitive filesystems such as those commonly used on Linux.)
crbug.com/444085 - The paths are not resolved into a canonical form. When you use two "//" instead of "/", then Chrome will find the file, but not its corresponding checksum and disable the extension. To fix this, change "path//to/file" to "path/to/file". Fixing static paths (e.g. in HTML and CSS files) is relatively easy, but if you construct the paths dynamically, then finding the culprit becomes much harder.
To find out why your extension gets disabled, follow the instructions at crbug.com/444085#c25.
The problem was related to a broken url in one of the css files. By disabling all scripts and css we were able to find the problem.
When I check my website with W3C link checker, The checker shows:
Status: 403 Forbidden
"The link is forbidden! This needs fixing. Usual suspects: a missing index.html or Overview.html, or a missing ACL"
But that link is working fine. How can I resolve this issue from that link checker?
Screenshot:
That issue is usually used by over-zealous security filtering which either assumes that all bots are evil or that all bots using certain libraries are evil.
The checklink software uses the LWP library which often finds its way onto such blacklists. The two ways to get checklink to pass the link are:
Download checklink, edit its user-agent string, then run it from your local system and not the W3C servers. (See also: installing CPAN modules.)
Change the security filtering on the server the link is pointing to (this obviously requires that you have access to that server)
Alternatively, you can check the links manually each time you perform a check.
Its not always possible to follow all the standards.
If you have tested that the link is working fine than go ahead.
Okay, so I'm a student programmer in my college's IT department, and I'm doing browser compatibility for a web form my boss wrote. I need the user to be able to open a local file from a shared drive with a single click.
The problem is that Firefox and Chrome don't allow that for security reasons. Thus, I'm trying to write a custom protocol of my own to open an address in Internet Explorer regardless of the browser being used.
Can anyone help me with this? I'd also be willing to try an alternative solution to the problem.
The below worked for me, is this what you mean?
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\foo]
#="URL: foo Protocol"
"URL Protocol"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\foo\DefaultIcon]
#="C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\foo\shell]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\foo\shell\open]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\foo\shell\open\command]
#="C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe \"%1\""
Just to note, I'm running Win7Pro, so you may have to move around file path(s) to conform to your environment.
And if that doesn't work, create a proxy between the protocol and the browser, pass the argument(s) from foo:// to that, parse what's necessary, then hand it off to IE using start iexplorer.exe "args".
I'm unsure whether I understand your question, if it is how do I open local files using chrome/firefox, this is your anwser:
First a disclaimer, I have never done this and cannot vouch for the accuracy of my response
IE
Microsoft's security model is pretty fail so you can go right ahead and open these files
FireFox
Some quick googling found that Firefox can do this after either editing prefs.js as outlined here or installing an addon called LocalLink
Chrome
Practically impossible due to its security, until now when locallink was ported to chrome.
On an intranet site, let's say I want to link to a file on a share using UNC, at:
\\servername\foldername\filename.rtf
It seems the correct way to do this is with markup like this:
filename.rtf
That's five slashes - two for the protocol, one to indicate the root of the file system, then two more to indicate the start of the server name.
This works fine in IE7, but in Firefox 3.6 it will only work if the html is from a local file. I can't get it to work when the file comes from a web server. The link is "dead" - clicking on it does nothing.
Is there a workaround for this in Firefox? Those two browsers should be all I need to worry about for now.
Since this is obviously a feature of Firefox, not a bug, can someone explain what the benefit is to preventing this type of link?
This question has been asked at least twice before, but I was unable to find those posts before posting my own (sorry):
Open a direct file on the hard drive from firefox (file:///)
Firefox Links to local or network pages do not work
Here is a summary of answers from all three posts:
Use WebDAV — this is the best solution for me, although much more involved than I had anticipated.
Use http:// instead of file:///// — this will serve up a copy of the document that the user cannot edit and save.
Edit user.js on the client as described here — this worked for me in Firefox 3.6.15, but without access to client machines, it's not a solution.
In Firefox, use about:config, change the Security.fileuri.strict_origin_policy setting to false — this doesn't work for me in 3.6.15. Other users on [SO] have also reported that it doesn't work.
Use the locallinks Firefox extension — this sets the Security.fileuri.strict_origin_policy to true for you, and appears to have no other effect.
Read the file server-side and send it as the response — this presents the same problem as simply configuring your web server to use http://.
Browsers like Firefox refuse to open the file:// link when the parent HTML page itself is served using a different protocol like http://.
Your best bet is to configure your webserver to provide the network mapped file as a web resource so that it can be accessed by http:// from the same server instead of by file://.
Since it's unclear which webserver you're using, I can't go in detail as to how to achieve this.
In Firefox to Open File:\\\\\yourFileServer\docs\doc.txt for example you need to turn on some options in Firefox configuration:
user_pref("capability.policy.policynames", "localfilelinks");
user_pref("capability.policy.localfilelinks.sites", "http://yourServer1.companyname.com http://yourServer2.companyname.com");
user_pref("capability.policy.localfilelinks.checkloaduri.enabled", "allAccess");
As it turns out, I was unaware that Firefox had this limitation/feature. I can sympathize with the feature, as it prevents a user from unwittingly accessing the local file system. Fortunately, there are useful alternatives that can provide a similar user experience while sticking to the HTTP protocol.
One alternative to accessing content via UNC paths is to publish your content using the WebDAV protocol. Some content managements systems, such as MS SharePoint, use WebDAV to provide access to documents and pages. As far as the end-user experience is concerned, it looks and feels just like accessing network files with a UNC path; however, all file interactions are performed over HTTP.
It might require a modest change in your file access philosophy, so I suggest you read about the WebDAV protocol, configuration, and permission management as it relates to your specific server technology.
Here are a few links that may be helpful if you are interested in learning more about configuring and using WebDAV on a few leading HTTP servers:
Apache Module mod_dav
IIS 7.0 WebDAV Extension
Configuring WebDAV Server in IIS 7, 6, 5
Add your own policy, open configuration "about:config" in the location bar and add three new entries:
capability.policy.policynames MyPolicy
capability.policy.MyPolicy.sites http://localhost
capability.policy.MyPolicy.checkloaduri.enabled allAccess
Replace http://localhost with your website.
Works with Firefox 70.0.
I don't know if this will work, but give it a shot! Old article, but potentially still useful.
http://www.techlifeweb.com/firefox/2006/07/how-to-open-file-links-in-firefox-15.html