BookMarker Project - Opening local files on localhost through Django generated pages

[Aseem Bansal]

I am working on a BookMarker project for managing my bookmarks. I was creating the search page for lisitng bookmarks as per categories. I hit a snag while testing it. I am unable to open locally stored webpages. I understand that it is for security purposes but is it possible (cross-browser way) to grant permissions for a app to open locally stored files? The app can ask for permissions for this.

[Adam Stein]

On Tue, 2014-05-20 at 11:29 -0700, Aseem Bansal wrote:

I am working on a BookMarker project for managing my bookmarks. I was creating the search page for lisitng bookmarks as per categories. I hit a snag while testing it. I am unable to open locally stored webpages. I understand that it is for security purposes but is it possible (cross-browser way) to grant permissions for a app to open locally stored files? The app can ask for permissions for this.

Are you running with DEBUG=True or did you set ALLOWED_HOSTS?

-- Adam (ad...@csh.rit.edu)

[Aseem Bansal]

I am running with DEBUG=TRUE so far

[Daniel Roseman]

On Tuesday, 20 May 2014 19:29:06 UTC+1, Aseem Bansal wrote:

I am working on a BookMarker project for managing my bookmarks. I was creating the search page for lisitng bookmarks as per categories. I hit a snag while testing it. I am unable to open locally stored webpages. I understand that it is for security purposes but is it possible (cross-browser way) to grant permissions for a app to open locally stored files? The app can ask for permissions for this.

You'll need to be a bit clearer. Ignoring for the moment the fact that the client and the server are the same machine in development, are you hoping for your server to be able to open pages stored locally on your client? That's not going to be possible, for what I hope are obvious reasons. If that's not what you mean, you should explain in more detail.

--

DR.

[Aseem Bansal]

I want the the webpage served to the client machine from the server to have a hyperlink. The hyperlink will be for a html file stored on the client machine. After the webpage has been served to the client webbrowser then when the client user clicks on the hyperlink I want the html page to be opened in the webbrowser. The webbrowser can ask for the permissions if necessary.

Basically I want a interface where I can manage my bookmarks - offline or online for which I am making this. So any ideas now?

[Aseem Bansal]

The server will not be able to open pages stored on client machine but the client user should be able to open html pages stored on client machine by clicking on a hyperlink manually. 

[François Schiettecatte]

You can do this with a 'file://...' url, that will cause the browser to open a file on the local file system, the browser won't need to ask for permission, the only issue is that the files will need to be in a known path.

François

> --
> You received this message because you are subscribed to the Google Groups "Django users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to django-users...@googlegroups.com.
> To post to this group, send email to django...@googlegroups.com.
> Visit this group at http://groups.google.com/group/django-users.
> To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/7df2d6a2-dcc9-4551-8617-a4eb30003926%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[Aseem Bansal]

I understand the requirement of file protocol. That's how I keep bookmarks in Chrome currently. But when I served the same as a hyperlink I am getting Not allowed to load local resource:

[C. Kirby]

Errors without code aren't very useful. If you provide the view and template you are rendering it will give us something to latch onto and debug

Kirby

[François Schiettecatte]

It would also help to know what is giving the error.

I did a quick google search with the text of the error (which you could have done), it looks like browsers are not keen on accessing 'file://...' urls from a web page served by a web server, this for security reasons. For kicks, I embedded a link to 'file:///Users/francois/Sites/index.html' in a page served by the django sandbox web server ( 'python manage.py runserver' ), and none of the browsers I tried would access this file (Safari, FF, Chrome, IE).

François

> To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/4e5e9e63-0771-4a04-8cbc-91361106f81c%40googlegroups.com.

[Aseem Bansal]

Here is the code so far. I have just kept Bootstrap and JQuery ignored in git. Rest is there

https://github.com/anshbansal/Bookmarker

[Aseem Bansal]

The error is coming in Chrome's console not in Python/Django when I try to click on the link in my webbrowser. The HTML generated is below

<div class="row">
	<div class="col-md-12">
	<a href="file:///D:/Study/Docs/Python/python-3.4.0-docs-html/index.html" target="_blank">Python 3.4 Docs</a>
	</div>
	</div>

[François Schiettecatte]

Well ok, this is not a django issue. Like I said in my previous email the browser is blocking this for security/sandboxing issue. You could start chrome with security ( see http://superuser.com/questions/593726/is-it-possible-to-run-chrome-with-and-without-web-security-at-the-same-time ) and see if that helps. But other browsers will have the same issue.

If you think about it, it makes perfect sense for a browser to block local file access from a page served by a web server, otherwise it would be trivial for anyone to write some javascript to access local files and send them off back to the server.

François

> To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/85f54280-fc3b-453b-87a5-cebffb643795%40googlegroups.com.

[Aseem Bansal]

I had searched that but there should be a way to give permissions. The client can give the permissions. Can the client not?

[François Schiettecatte]

See my previous email, you can get chrome to launch with securities turned off (and Chromium too with the same command line argument), but not Firefox or Safari, not sure about IE. Not even sure if the flag I mentioned will help in this specific case.

And I am not sure about the wisdom of running a web browser with securities off.

Regardless this is not a django issue but a browser issue, so this is not the forum for this question :)

François

> To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/273a748c-5084-4c59-95eb-3a18210d4f21%40googlegroups.com.

[Aseem Bansal]

There has to be a workaround. Using webbrowser.open via a request to the server on clicking? That's hacky but I started working on Django for this project and if web browsers cannot do this then  I made  a wrong choice for the technology to use for this project. 

[C. Kirby]

There are not really any workarounds, just different architecture - save your bookmarks to the django project instead of on the local filesystem. You can also look into using html5 local storage. Just note that either of these architecture changes would mean rolling your own bookmark system instead of utilizing the one you use now. It is fundamentally insecure to do it the way you want to do it, and unlikely to be hacked around.
Sometimes projects fail due to outside forces or not completely understanding the problem domain. This may be one of those cases, and that is unfortunate.
If this is your first experience with django, don't hold it against the framework - the issue you have run into unequivocally has nothing to do with django. You would run into the same issue using any web framework in any language. 

[Aseem Bansal]

This bookmarker that I want to make will be th repacement for my webbrowser's boomarks so I will be storing the bookmarks in sqlite DB. As per my understanding using html5 local storage is more of a temporary storage. A sqlite3 db will be portable hence keeping my bookmarks with me in case I want to transfer computers.  Didn't get what will be insecure?Storage into sqlite3 db or turning off web browser's security?

I am not going to hold it against the framework. I am just going to look for a workaround. There is always a workaround. Client and server are on the same machine and they will be even after this is complete so why cannot I just ask the server to open the webpage? The security applies to browser's not allowing file protocol but my project's code is Python and there is webbrowser module available to server. Couldn't I just ask the server to open the webpage? They are after all on same machine. Any problems in that or am I missing something here?

[C. Kirby]

If they are always going to be on the same machine then why don't you open the file on the view side and render it as text to the browser?

[François Schiettecatte]

You are not going to get a work-around to a page being served by a web server not having access to the local file system, that would be a serious bug in the browser security model.

What you can do is have the webpage be a file on your drive, open that with a browser (locally, not via a web server) and make REST/AJAX calls to your web server returning JSONP encoded data.

Even easier, just have the browser store your bookmarks in the cloud, you can do that with Safari, Chrome and Firefox. You wont be able to share bookmarks across browsers, but if you stick to Chrome you just need to sign into you goggle account on the computer you are using. No need for django/webservers/etc... in this case.

François

> To view this discussion on the web visit https://groups.google.com/d/msgid/django-users/77803bee-32d5-4e81-9316-877ebe1dd9de%40googlegroups.com.

[Aseem Bansal]

I am averse to doing that because I have offline bookmarks like the Python documentation also which contain a lot of links. If I rendered it as text then this problem will go in an loop. The browser will not allow any of the rendered links on that page to be opened. So a solution is needed. That is why I am considering using the fact that browser and server are on same machine. Instead of rendering the links on my search page I can instead render reference numbers which I can use to send requests to the server. Then the server will be able to use webbrowser.open for opening the required webpage. A little change will help me solve this problem. 

I guess I need to thank Daniel Roseman. If he had not mentioned that client and server are on same machine explicitly I would never have looked at the possible benefits of this. I understand that this is not a good solution as this makes my implementation dependent on client and server being on same machine.

I am also considering using JavaScript window.open in the onclick of the bookmark. That way it might work. Need to check.

[Aseem Bansal]

Just wanted to say that window.open failed for locally stored files. Guess browser security is good in Chrome.

[Aseem Bansal]

I guess I should tell that the thing worked. Using server to open the web pages worked. I made ajax calls via jQuery to the server and used code there to do the rest. A bummer out of way. Just adding here in case someone is doing the same thing in future. :D