Opening links to local files file://

Add-ons Development
#1

Hello,
I’m developing Group Speed Dial using web-extension API and I’m getting feature requests to support file:// protocol.
Some people want to access their locally stored .html pages from speed-dial addon.

However there is some security restriction that prevents opening any link pointing to “file:///”.

Is there a way to get over this restriction? Now or in the future - by requesting maybe a new security API for web-extension? If there is no solution yet, can somebody tell me what would be the best way to request this kind of feature?

In Chrome local files just works.

#2

AFAIK in Chrome, the user has to set an extra checkbox in the add-on manager, which will only appear if the extension has set host permissions including <all_urls> or file://

There is a function in the .extension or .runtime namespace that should tell you whether you have file system access or not. If that returns false in Firefox, I guess that is your answer, at least for now.

#3

Sorry I was not aware of that, seems like locally loaded addons (during development) has this checkbox automatically checked.

#4

Juraj Masiar, can you please post a sample of the code that fails for you?

#5

There are no errors, Firefox just won’t react on clicking on elements pointing to local files.
For example:

<a id="dial_13" href="file:///C:/Users/Juraj/Desktop/simple.html">Click me</a>

will not open file “simple.html” from my desktop (if I copy the ‘href’ value into addressbar I can view the html file).
I understand the security issue here but I believe the add-ons deserves this functionality.

There is also some article here about accessing files https://wiki.mozilla.org/WebExtensions/Filesystem

#6

Unfortunately, it’s not planned for Firefox 57, but may be available later. Even the article you linked to at https://wiki.mozilla.org/WebExtensions/Filesystem mentions at the very bottom “Firefox 57 / Not Planned / Access to file:// URLs or reading files without any explicit user input”

1 Like
#7

Hi there,

it’s unfortunate that this isn’t even possible on explicit user input or by requesting permissions.

I’m the author of the LocalLink addon which adds a context submenu to the page context menu so that users can open file:// links contained in web pages. (Some bad content systems do this so that users rely on it.) Note that this requries explicit interactions, I’m not circumventing same-origin policy for “ordinary link clicks”.

In the XUL version of my addon, I use window.loadURI(uri, null, null), openNewTabWith(uri, null, null, event) and openNewWindowWith(uri, null, null) to open those uris irrespective of checkloaduri.

I ported the context menu and such to webextensions now, but browser.tabs.update() and window.open() called from a background script are subject to the same-origin restrictions, no loading of file:// uris

requesting "file://*/" permissions in manifest.json does not help either. MDN docu suggests "content_security_policy": "script-src 'self'; object-src 'self'; navigation-to 'filesystem:'" but my Firefox 56 does not know navigation-to, and I don’t think Firefox 57 does.

Entering file:// uris in the address bar directly works, of course. Is there any way to (request a permission to be able to) to do this from a webextension? I.e., based upon user input, update a tab or create a new one that navigates to a given file:// uri?

Michael