Security error loading local files using Ajax requests from FileAPI due to XHR over fetch not working for ms-appdata:

Author: Luis O.
Created: May 12, 2017
Privacy: This issue is public.
Found in
Found in build #: 40.15063
Reports: Reported by 3 people

I developed a Windows 10 app using Cordova for Windows. The app stores files locally using the file API and this plugin. Then, the app loads these files using Ajax requests poiting to ms-appdata:///local/.* addresses.

Until Windows 10 Creators Update, the Ajax requests work properly and the app was able to load the local files successfully. However, after installing the Creators Update, the app is not able anymore to load any file from fileAPI: in fact, the same Ajax requests now calls the error handler.

Is it a known issue? Is there any workaround for this?

1 attachment

windows-ajax-offline-126896.zip

Microsoft Edge Team
Steven K. May 12, 2017 2017-05-12T18:37:13.097Z
Changed Assigned To to “Steven K.”
Steven K. May 16, 2017 2017-05-16T03:01:37.38Z Microsoft Edge Team
Hi Luis,

I am looking into the details about your question. In the meantime, you might find this article interesting on the topic.

https://blogs.windows.com/msedgedev/2017/03/23/strengthening-microsoft-edge-sandbox/#yIAYX7QAxE2CFzvo.97

Steve
Steven K. May 16, 2017 2017-05-16T16:25:09.557Z Microsoft Edge Team
Hi Luis,

Would you be willing to share your app or a simplified repro version?

Thank you,

The MS Edge Team
Luis O. May 26, 2017 2017-05-26T15:12:21.707Z
Hi,

I attached a demo for this issue (see zip file in attachment).

Repro steps:
1. Run the solution
2. Click in “Download image file” button
3. Click in “Load image using file API”
  [Result] The image is correctly rendered in right panel, regardless of Windows 10 release
4. Click in “Clear screen” button
5. Click in “Load image using Ajax request”
  [Result] Using Windows 10 release prior to Creators Update (1703), it works fine. The local image is correctly rendered.
  Using Windows 10 with release >= 1703, it throws an error when loading the image
My app, in some scenarios, needs to perform Ajax requests to local files hence it’s failing in devices with Windows 10 creators update installed.
Microsoft Edge Team
OSG V. Jun 13, 2017 2017-06-13T02:39:52.963Z
Changed Assigned To to “wwatri”

Daniel L. Jun 14, 2017 2017-06-14T16:01:21.443Z
Changed Assigned To from “wwatri” to “Liang Z.”

Daniel L. Jun 19, 2017 2017-06-19T22:42:15.703Z
Changed Status to “Confirmed”
Steven K. Jun 21, 2017 2017-06-21T01:04:45.883Z Microsoft Edge Team
Hi Luis,

Thank you for creating and sending the repro. I was able to reproduce it.

One question, I thought I would double check on. Are you using the Cordova Whitelist plugin?

https://taco.visualstudio.com/en-us/docs/cordova-security-whitlists/

I saw this note bolded in that link:

"
A critical aspect of this security model is that

absolutely no network access of any kind is allowed without the installation of a Cordova plugin
."
Steven K. Jun 21, 2017 2017-06-21T01:18:55.783Z Microsoft Edge Team
I see that you have it included.

As an fyi, this is the specific error I see for the image request being blocked:

“CSP14312: Resource violated directive 'default-src ‘self’ data: gap: https://www.w3.org ‘unsafe-eval’’ in <meta http-equiv="Content-Security-Policy">: ms-appdata:///local/w3c-developers.png. Resource will be blocked.”

Steve
Microsoft Edge Team
Liang Z. Jun 22, 2017 2017-06-22T20:41:44.697Z
Changed Title from “Security error loading local files using Ajax requests from FileAPI” to “Security error loading local files using Ajax requests from FileAPI due to XHR over fetch not working for ms-appdata:”

Liang Z. Jun 22, 2017 2017-06-22T20:41:44.697Z
Changed Assigned To from “Liang Z.” to “Rajat J.”

You need to sign in to your Microsoft account to add a comment.

Security error loading local files using Ajax requests from FileAPI due to XHR over fetch not working for ms-appdata:

Details

Steps to reproduce

Attachments

1 attachment

Comments and activity