We should be aware of the security risks when recommand a "simple web server".

* Most (if not all) simple web servers don't block access from non-local hosts by default, which can leak users' files. Although your firewall can block them for you, users do need unblock non-local hosts sometimes (e.g. test with a smart phone), so some may have whitelisted the
  server anyway.

* Even if non-local hosts are blocked, non-current users'(in the same OS) access can't be blocked easily by a web server. In contrast, file:// access is subject to file permission check.

* Most (if not all) simple web servers are hobby projects so probabaly lacks enough security audit. E.g. How urls like "/foo/../../../bar" are handled to prevent escaping from the root directory?

Those risks may be non-issue for experienced developers, but do affect newbie developers and normal users. So In my opinion, it is much better to improve and standardize file-url
handling in browsers.


Duan, Yao

在 2017年04月10日 04:33, Gregg Tavares 写道:
I know this doesn't address your CD-ROM/USB stick situation but FYI...

for the dev situation there are many *SUPER* simple web servers




https://docs.python.org/2/library/simplehttpserver.html  (not recommended,
haven't tried the python 3 one)

  (soon to be deprecated)

more here

On Mon, Apr 10, 2017 at 4:36 AM, Jan Tosovsky<jan.tosovsky...@gmail.com>

On 2017-04-09 David Kendal wrote:
... there are many possible uses for local static files accessing
other local static files: the one I have in mind is shipping static
files on CD-ROM or USB stick...
In this case the file structure is fixed so it can be exported as JSON
file and then linked via the HTML header in every HTML file where it is
needed. This structure is then directly available for the further

However, I am not sure this covers your use case.


Reply via email to