Mailing Lists: Apple Mailing Lists
Image of Mac OS face in stamp
Re: Overriding 'Not allowed to load local resources'
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Overriding 'Not allowed to load local resources'




On 14-Apr-08, at 11:52 AM, Darin Adler wrote:

On Apr 10, 2008, at 10:03 AM, Todd Thomas wrote:

I have a custom webkit based application where I'd like to be able to fetch local media resources from within html pages coming from a server.
Of course when I tried this I ended up with an error 'Not allowed to load local resources'. Is there an easy way to allow this within my own application?

Generally this is a dangerous direction to go in. With a man in the middle attack, someone could give you malicious content, and because you gave this content special privileges, it could get at any file on your user's computer.


Generally it's safer to come up with a way for the remote page to get special resources rather than trying to turn off the local resource security machinery entirely.

I was just trying every angle I could think of. The app isn't publicly available and it really only visits a single URL it is given. I think the risk of any sort of attack against it would be low. I just wanted to be able to serve up some high bandwidth flash files locally to a bunch of test computers. The clients did not want to set up a local web server to serve up the files either.



As far as I could tell it would require calling FrameLoader::setRestrictAccessToLocal(false) in WebCore which seems to be a bit difficult in itself. If I build WebCore myself and include it in my project and then include FrameLoader I still get errors because of the private headers FrameLoader.h includes. I guess I could keep going down this path and include the private headers folder in WebCore but this doesn't seem like the way to go.

This is not the way to go.

Good, because it wasn't going well. :-)


The other option I figured might work would be to create a custom protocol that webkit would think is non-local (say localfile://) and then read the file from the local filesystem myself. Is this the better way to go? This is an app we have complete control over the pages it views so using a custom protocol is doable.

That seems like a good option.

It would be a good option if it worked - I absolutely cannot get the flash plugin to play content that is loaded from a custom protocol. I even compiled webkit so I could see the debugging from the plugin and it isn't reporting any errors.


I first tried loading a page http://localhost/testing.html that had a reference like <embed src="localfile://path/to/file"> and that did not work. My custom protocol did load the data and hand it back to the client but nothing was ever displayed. Then I found an older msg on the list that said this wouldn't work - that the protocols had to match.

So I tried to be more clever and registered a custom protocol that just looked for certain paths like <embed src="/localfile/path/to/ file"> and then loaded the data - so on the surface everything looks like it is just using http coming from the same server. It didn't work either. Same result as above. Does the flash plugin really have any idea that two different protocol handlers took care of loading the main page and then the flash content itself? It seems so because I really figured this way would work just fine.

todd


_______________________________________________ Do not post admin requests to the list. They will be ignored. Webkitsdk-dev mailing list (email@hidden) Help/Unsubscribe/Update your Subscription: This email sent to email@hidden
References: 
 >Overriding 'Not allowed to load local resources' (From: Todd Thomas <email@hidden>)
 >Re: Overriding 'Not allowed to load local resources' (From: Darin Adler <email@hidden>)



Visit the Apple Store online or at retail locations.
1-800-MY-APPLE

Contact Apple | Terms of Use | Privacy Policy

Copyright © 2011 Apple Inc. All rights reserved.