I asked part of this question under a different area here but this question focuses on the security risk.
I have a web extension that, in certain instances, uses an iframe within a local HTML page, that loads another local HTML page. Since I build this in my free time, I do it in pieces over time; and this piece was working several months ago but now has a cross-origin issue even though the files are from the same origin. The two could reference one another’s window previously; because the iframe file was in a subdirectory of the directory containing the parent document; but that no longer works unless
security.fileuri.strict_origin_policy is set to false.
According to the now obsolete article “The Same-origin policy for file: URIs” at https://developer.mozilla.org/en-US/docs/Archive/Misc_top_level/Same-origin_policy_for_file:_URIs, this at least worked in the past. And I know it did, because my code used to work.
I can still load other local resources such as an image, PDF, or audio file, directly into a local HTML page via a relative path; and iframe scripts execute, as long as they are same-origin under these obsolete rules; but the HTML file in the same directory is treated as a different origin when in an iframe and when attempt to communicate with the parent window.
I thought script execution within an iframe required same origin; so, I don’t understand why for communication the two are considered of different origins, when the script is permitted to execute.
My question is what is the risk to the user of an extension if this configuration setting is set to permit cross-origin for local files only? The extension I am working on requests several API permissions.
I plan on recommending that the user set up a separate profile for the extension and use it like a desktop application rather than for normal internet usage. They could work offline but need to check for updates and can download free resources for the extension tool from my web site through the extension itself.
Does this leave the user at risk and is there anything that should be done to protect them, or is it better to not do this at all? It is not essential to the extension tool, but makes certain items easier for the user to access and validate.
Perhaps, if it is a risk to do this, since this is in an extension, a hidden tab could be used that is same origin, rather than an iframe. I guess a hidden tab and a hidden iframe are much the same in terms of memory usage; but I’m not 100% certain about that.