> We're talking about playing a *URL* using a relative path.
> There's no security reason that this can't be allowed....
That assumes we always have full usage context, which we don't always
get from the browsing agent. This is where the story fell down.
Back around 2002 or so, there actually were a number of Very Angry
People who were ready to throttle us because there were vague cases
wherein you could do a theoretical walk of local directories by forcing
local relative paths and checking error results. This particular error
code pretty completely wiped out that 'privacy attack' vector.
Partager