We should be aware of the security risks when recommand a "simple web
server".
* Most (if not all) simple web servers don't block access from non-local
hosts by default,
which can leak users' files. Although your firewall can block them
for you, users do need unblock
non-local hosts sometimes (e.g. test with a smart phone), so some may
have whitelisted the
server anyway.
* Even if non-local hosts are blocked, non-current users'(in the same
OS) access can't be blocked
easily by a web server. In contrast, file:// access is subject to
file permission check.
* Most (if not all) simple web servers are hobby projects so probabaly
lacks enough security audit.
E.g. How urls like "/foo/../../../bar" are handled to prevent
escaping from the root directory?
Those risks may be non-issue for experienced developers, but do affect
newbie developers
and normal users. So In my opinion, it is much better to improve and
standardize file-url
handling in browsers.
Regards,
Duan, Yao
在 2017年04月10日 04:33, Gregg Tavares 写道:
I know this doesn't address your CD-ROM/USB stick situation but FYI...
for the dev situation there are many *SUPER* simple web servers
https://greggman.github.io/servez/
https://github.com/cortesi/devd/
https://github.com/indexzero/http-server/
https://docs.python.org/2/library/simplehttpserver.html (not recommended,
haven't tried the python 3 one)
https://chrome.google.com/webstore/detail/web-server-for-chrome/ofhbbkphhbklhfoeikjpcbhemlocgigb?hl=en
(soon to be deprecated)
more here
http://stackoverflow.com/questions/12905426/what-is-a-faster-alternative-to-pythons-http-server-or-simplehttpserver
On Mon, Apr 10, 2017 at 4:36 AM, Jan Tosovsky<jan.tosovsky...@gmail.com>
wrote:
On 2017-04-09 David Kendal wrote:
... there are many possible uses for local static files accessing
other local static files: the one I have in mind is shipping static
files on CD-ROM or USB stick...
In this case the file structure is fixed so it can be exported as JSON
file and then linked via the HTML header in every HTML file where it is
needed. This structure is then directly available for the further
processing.
However, I am not sure this covers your use case.
Jan
