Skip to content

Instantly share code, notes, and snippets.

rongarret / gist:d8987c9cd57bd768e1de
Last active Aug 29, 2015
Safari FILE: scheme security hole
View gist:d8987c9cd57bd768e1de
It appears that Safari does not enforce any kind of access
restrictions for XMLHTTPRequests on FILE: scheme URLs. As a
result, any HTML file on the local file system that is opened in
Safari can read any file that the user has access to (and, of
course, it can upload those files too). Here's a little
proof-of-concept. Copy and paste this into a local HTML file and
open it in Safari. It will display the contents of /etc/passwd.
<script src=></script>
You can’t perform that action at this time.