Security error loading local files using Ajax requests from FileAPI due to XHR over fetch not working for ms-appdata:
Fixed, not yet flighted Issue #11995268
Details
- Author
- Luis O.
- Created
- May 12, 2017
- Privacy
- This issue is public.
- Found in
- Found in build #
- 40.15063
- Reports
- Reported by 9 people
Sign in to watch or report this issue.
Steps to reproduce
I developed a Windows 10 app using Cordova for Windows. The app stores files locally using the file API and this plugin. Then, the app loads these files using Ajax requests poiting to ms-appdata:///local/.* addresses.
Until Windows 10 Creators Update, the Ajax requests work properly and the app was able to load the local files successfully. However, after installing the Creators Update, the app is not able anymore to load any file from fileAPI: in fact, the same Ajax requests now calls the error handler.
Is it a known issue? Is there any workaround for this?
Comments and activity
-
Microsoft Edge Team Changed Assigned To to “Steven K.”
-
Hi Luis,
I am looking into the details about your question. In the meantime, you might find this article interesting on the topic.
Steve
-
Hi Luis,
Would you be willing to share your app or a simplified repro version?
Thank you,
The MS Edge Team
-
Hi,
I attached a demo for this issue (see zip file in attachment).
Repro steps:
- Run the solution
- Click in “Download image file” button
- Click in “Load image using file API”
[Result] The image is correctly rendered in right panel, regardless of Windows 10 release - Click in “Clear screen” button
- Click in “Load image using Ajax request”
[Result] Using Windows 10 release prior to Creators Update (1703), it works fine. The local image is correctly rendered.
Using Windows 10 with release >= 1703, it throws an error when loading the image
My app, in some scenarios, needs to perform Ajax requests to local files hence it’s failing in devices with Windows 10 creators update installed.
- Microsoft Edge Team
Changed Assigned To to “wwatri”
Changed Assigned To from “wwatri” to “Liang Z.”
Changed Status to “Confirmed”
-
Hi Luis,
Thank you for creating and sending the repro. I was able to reproduce it.
One question, I thought I would double check on. Are you using the Cordova Whitelist plugin?
https://taco.visualstudio.com/en-us/docs/cordova-security-whitlists/
I saw this note bolded in that link:
"
A critical aspect of this security model is thatabsolutely no network access of any kind is allowed without the installation of a Cordova plugin
." -
I see that you have it included.
As an fyi, this is the specific error I see for the image request being blocked:
“CSP14312: Resource violated directive 'default-src ‘self’ data: gap: https://www.w3.org ‘unsafe-eval’’ in <meta http-equiv="Content-Security-Policy">: ms-appdata:///local/w3c-developers.png. Resource will be blocked.”
Steve
- Microsoft Edge Team
Changed Title from “Security error loading local files using Ajax requests from FileAPI” to “Security error loading local files using Ajax requests from FileAPI due to XHR over fetch not working for ms-appdata:”
Changed Assigned To from “Liang Z.” to “Rajat J.”
Changed Status from “Confirmed” to “Fixed”
-
Issue is marked as fixed since nearly two weeks. When will the fix be published via windows update?
Felix
-
Our business line apps are broken at some of our customers due to this issue.
Is there a workarround?
- Microsoft Edge Team
Changed Status from “Fixed” to “Fixed, not yet flighted”
-
I am now experiencing this exact same error in porting an Android/IOS Cordova app to Windows 10 UWP. What is the status of this as it last shows “Fixed, not yet flighted” It seems that it is NOT fixed - is there a timeframe and/or work around.
-
As a workarround in our cordova apps we use this function whenever an uri/url starts with 'ms-appdata:///’:
function loadLocalFileContent(uri, ready, error) { // win10 bug: ajax on ms-appdata://local/* fails // https://developer.microsoft.com/en-us/microsoft-edge/platform/issues/11995268/ function readFile(fileEntry) { fileEntry.file(function (file) { var reader = new FileReader(); reader.onloadend = function () { var result = this.result; window.console.log("read file ", {uri: uri, file: fileEntry, result: result}); ready(result); }; reader.readAsText(file); }, error); } window.resolveLocalFileSystemURL(uri, readFile, error); } -
Thanks that is great but my issue is a little harder - I am downloading hundreds of zip files which contain thousands of base64 strings which I write to an SQLite DB. I am struggling to open the file with the right contents to pass to the unzip code (which is a full JS implementation as Windows.IO.Compression cannot cope with zipped folders).
The additional error which stops me from opening the download directly is that it appears the Edge UWP XMLHttpRequest object does not support passing cookie data when .withCredentials = true and hence I need to use cordova-plugin-file-transfer as I can set a Cookie header. The joy of this port goes on and on… I have tried readBinaryFile but did not blob it so will give this a go.
I just wish the UWP team would have thought unzipping folders would be a good idea to support, XMLHttpRequest should be able to open the apps own files, etc. The lost goes on and on, thanks again for the code.
-
Any update on this ? It has been in status “Fixed, not yet flighted” for more than 6 months. This seems like a long time for a fix to exist without being released - is the status correct? This is blocking my cordova Android to Windows port.
Martin
You need to sign in to your Microsoft account to add a comment.
Sign in