> > Think about JavaScript. running Windows, the security hole(tm): > A script would be able to open a local file without you even > notice it, and send its contents back to a server. Is that > what you really want ? > > If I type a URL in the URL bar, I'm sure of what I'm doing. > If the URL is not a URL I type, but that comes from an > untrusted site, I certainly do not want a script ends up > accessing my private files. >
Scripting or other active "features" are different than a static link. We're already aware and it's fully documented what access Javascript and other active features have to the local file system (generally none). We already know that a "file://" hyperlink in a page "works" in IE but your theorized security hole doesn't exist in IE (I just tried it) because Javascript has no access to the local file system that way. I'm just saying that the behavior is not consistent to me and it works as I expect in the world's most popular browser. I would expect either the same behavior from other browsers or documentation in my browser of choice telling me that it's not allowed. I guess this is getting pretty far off topic. :) Rick _______________________________________________ Trac mailing list [email protected] http://lists.edgewall.com/mailman/listinfo/trac
