9/19/2010

Opera and access to file:// iframes


It's just a quick thought about getting content of iframes with file:// sources. While Firefox and Chrome don't alllow access to contentWindow and contentDocument properties of iframes with file:// sources, Opera and Internet Explorer don't have such security policies.
It's possible to get access to it in case when original file with iframe is saved locally. This way, Opera and Internet Explorer render file iframe and, as long as protocols match, which is required for contentWindow and contentDocument properties, allow reading it (actually, Firefox lets this too, but it also compares path to file - if they differ, it throws security exception).
So, we force user to save webpage locally (as HTML file) and to open it. In case of IE, however, it won't execute Javascript by default. Still, Opera lets us do it.
Here is a proof-of-concept just for fun:

<body />
<script>
  iframe = document.createElement('iframe');
  iframe.src = 'file://localhost/etc/passwd';
  document.body.appendChild(iframe);
  info = iframe.contentWindow.document.body.innerHTML;
  alert(info);
</script>

P.S. Wow, I don't really know what does it mean, but Safari runs Windows Explorer with the path of such iframes.