How to access local files from an extension?

I have created a browser extension that allows to navigate through local images using arrow keys. To do that, it fetches the directory index and adds images, which are next to the currently opened one, to the DOM. E.g. when you open file:///path/to/image.png in Firefox, the content script of the addon fetches file:///path/to and parses the filenames from the returned directory index.

Unfortunately, this only works when security.fileuri.strict_origin_policy is set to false in about:config. In the default config, fetching local directory index does not work because it’s considered a Cross-Origin Request and throws a NetworkError. Obviously, I am looking for an alternative here that allows me to add other images from the same directory into the DOM but does not rely on disabling a security measure. The option of running a local server that would return the directory index is known to me but I am looking for a solution that requries less setup effort and only runs in the browser.

You can find the extension here: https://github.com/nikolockenvitz/local-image-viewer. I already tried doing the request from a background script. This does not work even when adjusting settings in about:config. Instead, it shows Security Error: Content at moz-extension://... may not load data from file:///. The same request (fetch("file:///", { mode: "same-origin"}).then(response => response.text()).then(console.log);) works when doing it from a content script and setting said config to false. I also tried adding "file:///*" to permissions in manifest - also didn’t work.

Does someone know a workaround? I did not found any except the local server. Also, this discussion suggests there is none.

Shouldn’t it be possible to give extensions the permission to access local files without disabling the aforementioned security measure? I would not mind having to enable file access for an extension in an about page or some group policy. E.g. for links to local files, it seems to be possible to allow it using group policies.

Is this the right place to ask for such a feature or where would be the right place to reach out?

There may be a way…

See also those two links at the bottom of that comment.

Thanks for pointing this out. I already found this issue comment some time ago. Unfortunately, it’s for another use case where you want to have a link to a local file on a web page. This workaround enables file:/// links which are otherwise not clickable. But it would be great to have a similar way of allowing exceptions for my use case.

I don’t know if Firefox supports the filesystem: scheme in extension CSPs, or if that would even help in this case, but I can’t think of anything else

Thanks. But this does not work for my use case. While Firefox recognizes the filesystem: scheme, it still does not allow to fetch anything from the local files. In my understanding, CSP is just an additional security measure: If you cannot load a resource because it’s a blocked Cross-Origin Request, CSP will not enable you to do so. CSP only further restricts the resources you are able to load.

https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/Working_with_files outlines all file system interactions that should work.

I just saw that Firefox supports https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/extension/isAllowedFileSchemeAccess

But actually allowing file:// scheme access hasn’t been implemented:

Thanks @freaktechnik and @hans_squared! It seems it’s not possible at the moment.

In the meantime I had another idea how to enable file access without disabling the security measure completely. One could create an extension that intercepts all file:// requests and blocks them unless they are from a trusted extension/file. Basically, an extension would then do what I would expect Firefox to handle natively. I will also check whether native support for such an exception would be possible.

I’ll post an update here, if there is anything worth mentioning for one of the two. Probably takes some time as I am pretty busy right now.