Wednesday, March 01, 2006

Links to local files with Firefox 1.5

This is a little annoyance that has been bugging me infrequently for a while since I moved to the latest version of Firefox. The default settings for this version and previous ones were to disallow links to local files, presumably because a hacker could write a page with sneaky hidden frames and such to read your system settings.

I mentioned before in my old blog that you could enable local links for all pages in Firefox 1.0.x (can't remember the exact version they put it into). This was all well and good, but obviously caused sleepless nights for a few security conscious nerds because in Firefox 1.5 you can do it on a site-by-site basis (I'll sleep a lot easier now).

Go to the URL about:config.

You can add the following three preferences using right click then selecting New -> String.
You'll have to do this for each preference below:

Preference NameString value
capability.policy.policynameslocalfilelinks
capability.policy.localfilelinks.siteshttp://yourdomain.com
capability.policy.localfilelinks.checkloaduri.enabledallAccess


Firefox doesn't show these values on the about:config page even after a restart,
but they do work. You can confirm they have been added by looking at
your prefs.js file. On Windows 2000/XP this is in
Documents and Settings\youruser\Application Data\Mozilla\Firefox\Profiles\randomstring.default\prefs.js.

Enter multiple URLs by separating them with a space. For more info including other versions, see Mozillazine.

4 comments:

Anonymous said...

Since the most recent Firefox upgrade, this no longer seems to work. Does anyone else have the same experience?

Michael Hinds said...

Hi Bill,

I'm on FF 2.0.0.11 and got it working by doing the above, and also setting security.checkloaduri to false. Unlike the others, security.checkloaduri is displayed on about:config so just double click it to change the value.

Anonymous said...

I'm concerned that security.checkloaduri is global, and changing that affects ALL web pages.

Michael Hinds said...

@zappie:

Sorry, I haven't tried it but I think this page points to the answer.