Security error loading local files using Ajax requests from FileAPI due to XHR over fetch not working for ms-appdata:

Confirmed Issue #11995268 • Assigned to Rajat J.

Details

Author
Luis O.
Created
May 12, 2017
Privacy
This issue is public.
Found in
  • Microsoft Edge
Found in build #
40.15063
Reports
Reported by 3 people

Sign in to watch or report this issue.

Steps to reproduce

I developed a Windows 10 app using Cordova for Windows. The app stores files locally using the file API and this plugin. Then, the app loads these files using Ajax requests poiting to ms-appdata:///local/.* addresses.

Until Windows 10 Creators Update, the Ajax requests work properly and the app was able to load the local files successfully. However, after installing the Creators Update, the app is not able anymore to load any file from fileAPI: in fact, the same Ajax requests now calls the error handler.

Is it a known issue? Is there any workaround for this?

Attachments

Comments and activity

  • Microsoft Edge Team

    Changed Assigned To to “Steven K.”

  • Hi Luis,

    I am looking into the details about your question.  In the meantime, you might find this article interesting on the topic.

    https://blogs.windows.com/msedgedev/2017/03/23/strengthening-microsoft-edge-sandbox/#yIAYX7QAxE2CFzvo.97

    Steve

  • Hi Luis,

    Would you be willing to share your app or a simplified repro version?

    Thank you,

    The MS Edge Team

  • Hi,

    I attached a demo for this issue (see zip file in attachment).

    Repro steps:

    1. Run the solution
    2. Click in “Download image file” button
    3. Click in “Load image using file API”
      [Result] The image is correctly rendered in right panel, regardless of Windows 10 release
    4. Click in “Clear screen” button
    5. Click in “Load image using Ajax request”
      [Result] Using Windows 10 release prior to Creators Update (1703), it works fine. The local image is correctly rendered.
      Using Windows 10 with release >= 1703, it throws an error when loading the image

    My app, in some scenarios, needs to perform Ajax requests to local files hence it’s failing in devices with Windows 10 creators update installed.

  • Microsoft Edge Team

    Changed Assigned To to “wwatri”

    Changed Assigned To from “wwatri” to “Liang Z.”

    Changed Status to “Confirmed”

  • Hi Luis,

    Thank you for creating and sending the repro.  I was able to reproduce it.

    One question, I thought I would double check on.  Are you using the Cordova Whitelist plugin?

    https://taco.visualstudio.com/en-us/docs/cordova-security-whitlists/

    I saw this note bolded in that link:

     "
    A critical aspect of this security model is that 

    absolutely no network access of any kind is allowed without the installation of a Cordova plugin
    ."

  • I see that you have it included.

    As an fyi, this is the specific error I see for the image request being blocked:

    “CSP14312: Resource violated directive 'default-src ‘self’ data: gap: https://www.w3.org ‘unsafe-eval’’ in <meta http-equiv="Content-Security-Policy">: ms-appdata:///local/w3c-developers.png. Resource will be blocked.”

    Steve

  • Microsoft Edge Team

    Changed Title from “Security error loading local files using Ajax requests from FileAPI” to “Security error loading local files using Ajax requests from FileAPI due to XHR over fetch not working for ms-appdata:”

    Changed Assigned To from “Liang Z.” to “Rajat J.”

You need to sign in to your Microsoft account to add a comment.

Sign in