What is the Same-Origin Policy for File URIs?

Question

Perhaps my Google-Fu has deserted me, but I can't find a good description of the same-origin policy for file URIs other than this outdated Mozilla page. Can anyone point me to an explanation of the same-origin policy for file URIs? In particular, if I have a script loaded from (say) file:///C:/Users/Joe/Test/test.html, what files is that script allowed to access using XMLHttpRequest? And how should I specify the URI, i.e., as relative to the script's URI?

Note that I'm not asking for a way to get around cross-origin restrictions, just an understanding of where I need resources to reside so that I can load them without triggering a cross-origin error.

Answer 1

The same-origin policy for file:/// URIs is implementation-dependent.

The W3C's CORS spec gets its definition of an "origin" from IETF RFC 6454 "The Web Origin Concept". In section 4 "Origin of a URI" it reads:

4. If uri-scheme is "file", the implementation MAY return an implementation-defined value.

NOTE: Historically, user agents have granted content from the file scheme a tremendous amount of privilege. However, granting all local files such wide privileges can lead to privilege escalation attacks. Some user agents have had success granting local files directory-based privileges, but this approach has not been widely adopted. Other user agents use globally unique identifiers for each file URI, which is the most secure option.

Looking up the behavior (and the reasoning behind it) for specific browsers is not easy. I actually think the old Mozilla wiki page you referenced is one of the better resources on this topic. Here's a fairly helpful discussion; general guidance is to assume the browser may treat all file:/// URIs as totally unique origins.