On 12/20/05, Maciej Stachowiak [EMAIL PROTECTED] wrote:
Um, they shouldn't be able to. Or at least, in many UAs they can't.
Do you know of UAs that will prevent a file: URL document from
loading another file: URL in a frame or iframe? Or apply any
restrictions to scripting access to the resulting document. I don't
know of any that will.
Well other than Internet Explorer 6 on XP service pack 2 of course?
Although there are of course still ways of doing it.
I don't think reading /dev/mouse will specifically do anything bad,
but I see your point. For file: in file: inclusion I think it would
be wise to exclude certain system paths such as /dev and /etc. I
think this may be done already.
This shouldn't be specified in the specifcation, what is safe to be
included can only be known to the user agent as it's wholly specific
to the platform and configuration of the platform.
Jim.