Security error loading local files using Ajax requests from FileAPI due to XHR over fetch not working for ms-appdata:
Fixed, not yet flighted Issue #11995268
Details
- Author
- Luis O.
- Created
- May 12, 2017
- Privacy
- This issue is public.
- Found in
- Found in build #
- 40.15063
- Reports
- Reported by 9 people
Sign in to watch or report this issue.
Steps to reproduce
I developed a Windows 10 app using Cordova for Windows. The app stores files locally using the file API and this plugin. Then, the app loads these files using Ajax requests poiting to ms-appdata:///local/.*
addresses.
Until Windows 10 Creators Update, the Ajax requests work properly and the app was able to load the local files successfully. However, after installing the Creators Update, the app is not able anymore to load any file from fileAPI: in fact, the same Ajax requests now calls the error handler.
Is it a known issue? Is there any workaround for this?
Attachments
1 attachment
Comments and activity
-
Microsoft Edge Team
Steven K. May 12, 2017 2017-05-12T18:37:13.097Z
Changed Assigned To to “Steven K.”
-
Steven K. May 16, 2017 2017-05-16T03:01:37.38Z Microsoft Edge Team
Hi Luis,
I am looking into the details about your question. In the meantime, you might find this article interesting on the topic.
Steve
-
Steven K. May 16, 2017 2017-05-16T16:25:09.557Z Microsoft Edge Team
Hi Luis,
Would you be willing to share your app or a simplified repro version?
Thank you,
The MS Edge Team
-
Luis O. May 26, 2017 2017-05-26T15:12:21.707Z
Hi,
I attached a demo for this issue (see zip file in attachment).
Repro steps:
- Run the solution
- Click in “Download image file” button
- Click in “Load image using file API”
[Result] The image is correctly rendered in right panel, regardless of Windows 10 release - Click in “Clear screen” button
- Click in “Load image using Ajax request”
[Result] Using Windows 10 release prior to Creators Update (1703), it works fine. The local image is correctly rendered.
Using Windows 10 with release >= 1703, it throws an error when loading the image
My app, in some scenarios, needs to perform Ajax requests to local files hence it’s failing in devices with Windows 10 creators update installed.
-
Microsoft Edge Team
OSG V. Jun 13, 2017 2017-06-13T02:39:52.963Z
Changed Assigned To to “wwatri”
Daniel L. Jun 14, 2017 2017-06-14T16:01:21.443Z
Changed Assigned To from “wwatri” to “Liang Z.”
Daniel L. Jun 19, 2017 2017-06-19T22:42:15.703Z
Changed Status to “Confirmed”
-
Steven K. Jun 21, 2017 2017-06-21T01:04:45.883Z Microsoft Edge Team
Hi Luis,
Thank you for creating and sending the repro. I was able to reproduce it.
One question, I thought I would double check on. Are you using the Cordova Whitelist plugin?
https://taco.visualstudio.com/en-us/docs/cordova-security-whitlists/
I saw this note bolded in that link:
"
A critical aspect of this security model is thatabsolutely no network access of any kind is allowed without the installation of a Cordova plugin
." -
Steven K. Jun 21, 2017 2017-06-21T01:18:55.783Z Microsoft Edge Team
I see that you have it included.
As an fyi, this is the specific error I see for the image request being blocked:
“CSP14312: Resource violated directive 'default-src ‘self’ data: gap: https://www.w3.org ‘unsafe-eval’’ in <meta http-equiv="Content-Security-Policy">: ms-appdata:///local/w3c-developers.png. Resource will be blocked.”
Steve
-
Microsoft Edge Team
Liang Z. Jun 22, 2017 2017-06-22T20:41:44.697Z
Changed Title from “Security error loading local files using Ajax requests from FileAPI” to “Security error loading local files using Ajax requests from FileAPI due to XHR over fetch not working for ms-appdata:”
Liang Z. Jun 22, 2017 2017-06-22T20:41:44.697Z
Changed Assigned To from “Liang Z.” to “Rajat J.”
Rajat J. Jun 30, 2017 2017-06-30T22:56:26.23Z
Changed Status from “Confirmed” to “Fixed”
-
sitewaerts G. Jul 12, 2017 2017-07-12T16:12:38.823Z
Issue is marked as fixed since nearly two weeks. When will the fix be published via windows update?
Felix
-
sitewaerts G. Jul 12, 2017 2017-07-12T16:18:19.47Z
Our business line apps are broken at some of our customers due to this issue.
Is there a workarround?
-
Microsoft Edge Team
pbstools Jul 14, 2017 2017-07-14T05:58:52.04Z
Changed Status from “Fixed” to “Fixed, not yet flighted”
-
David M. Aug 17, 2017 2017-08-17T07:19:52.06Z
I am now experiencing this exact same error in porting an Android/IOS Cordova app to Windows 10 UWP. What is the status of this as it last shows “Fixed, not yet flighted” It seems that it is NOT fixed - is there a timeframe and/or work around.
-
sitewaerts G. Aug 17, 2017 2017-08-17T07:31:33.997Z
As a workarround in our cordova apps we use this function whenever an uri/url starts with 'ms-appdata:///’:
function loadLocalFileContent(uri, ready, error) { // win10 bug: ajax on ms-appdata://local/* fails // https://developer.microsoft.com/en-us/microsoft-edge/platform/issues/11995268/ function readFile(fileEntry) { fileEntry.file(function (file) { var reader = new FileReader(); reader.onloadend = function () { var result = this.result; window.console.log("read file ", {uri: uri, file: fileEntry, result: result}); ready(result); }; reader.readAsText(file); }, error); } window.resolveLocalFileSystemURL(uri, readFile, error); }
-
David M. Aug 17, 2017 2017-08-17T07:54:41.967Z
Thanks that is great but my issue is a little harder - I am downloading hundreds of zip files which contain thousands of base64 strings which I write to an SQLite DB. I am struggling to open the file with the right contents to pass to the unzip code (which is a full JS implementation as Windows.IO.Compression cannot cope with zipped folders).
The additional error which stops me from opening the download directly is that it appears the Edge UWP XMLHttpRequest object does not support passing cookie data when .withCredentials = true and hence I need to use cordova-plugin-file-transfer as I can set a Cookie header. The joy of this port goes on and on… I have tried readBinaryFile but did not blob it so will give this a go.
I just wish the UWP team would have thought unzipping folders would be a good idea to support, XMLHttpRequest should be able to open the apps own files, etc. The lost goes on and on, thanks again for the code.
-
Martin C. Feb 27, 2018 2018-02-27T10:10:36.227Z
Any update on this ? It has been in status “Fixed, not yet flighted” for more than 6 months. This seems like a long time for a fix to exist without being released - is the status correct? This is blocking my cordova Android to Windows port.
Martin
You need to sign in to your Microsoft account to add a comment.
Sign in