Security error loading local files using Ajax requests from FileAPI due to XHR over fetch not working for ms-appdata:

Fixed, not yet flighted Issue #11995268

Details

Author
Luis O.
Created
May 12, 2017
Privacy
This issue is public.
Found in
  • Microsoft Edge
Found in build #
40.15063
Reports
Reported by 8 people

Sign in to watch or report this issue.

Steps to reproduce

I developed a Windows 10 app using Cordova for Windows. The app stores files locally using the file API and this plugin. Then, the app loads these files using Ajax requests poiting to ms-appdata:///local/.* addresses.

Until Windows 10 Creators Update, the Ajax requests work properly and the app was able to load the local files successfully. However, after installing the Creators Update, the app is not able anymore to load any file from fileAPI: in fact, the same Ajax requests now calls the error handler.

Is it a known issue? Is there any workaround for this?

Attachments

Comments and activity

  • Microsoft Edge Team

    Changed Assigned To to “Steven K.”

  • Hi Luis,

    I am looking into the details about your question.  In the meantime, you might find this article interesting on the topic.

    https://blogs.windows.com/msedgedev/2017/03/23/strengthening-microsoft-edge-sandbox/#yIAYX7QAxE2CFzvo.97

    Steve

  • Hi Luis,

    Would you be willing to share your app or a simplified repro version?

    Thank you,

    The MS Edge Team

  • Hi,

    I attached a demo for this issue (see zip file in attachment).

    Repro steps:

    1. Run the solution
    2. Click in “Download image file” button
    3. Click in “Load image using file API”
      [Result] The image is correctly rendered in right panel, regardless of Windows 10 release
    4. Click in “Clear screen” button
    5. Click in “Load image using Ajax request”
      [Result] Using Windows 10 release prior to Creators Update (1703), it works fine. The local image is correctly rendered.
      Using Windows 10 with release >= 1703, it throws an error when loading the image

    My app, in some scenarios, needs to perform Ajax requests to local files hence it’s failing in devices with Windows 10 creators update installed.

  • Microsoft Edge Team

    Changed Assigned To to “wwatri”

    Changed Assigned To from “wwatri” to “Liang Z.”

    Changed Status to “Confirmed”

  • Hi Luis,

    Thank you for creating and sending the repro.  I was able to reproduce it.

    One question, I thought I would double check on.  Are you using the Cordova Whitelist plugin?

    https://taco.visualstudio.com/en-us/docs/cordova-security-whitlists/

    I saw this note bolded in that link:

     "
    A critical aspect of this security model is that 

    absolutely no network access of any kind is allowed without the installation of a Cordova plugin
    ."

  • I see that you have it included.

    As an fyi, this is the specific error I see for the image request being blocked:

    “CSP14312: Resource violated directive 'default-src ‘self’ data: gap: https://www.w3.org ‘unsafe-eval’’ in <meta http-equiv="Content-Security-Policy">: ms-appdata:///local/w3c-developers.png. Resource will be blocked.”

    Steve

  • Microsoft Edge Team

    Changed Title from “Security error loading local files using Ajax requests from FileAPI” to “Security error loading local files using Ajax requests from FileAPI due to XHR over fetch not working for ms-appdata:”

    Changed Assigned To from “Liang Z.” to “Rajat J.”

    Changed Status from “Confirmed” to “Fixed”

  • Issue is marked as fixed since nearly two weeks. When will the fix be published via windows update?

    Felix

  • Our business line apps are broken at some of our customers due to this issue.

    Is there a workarround?

  • Microsoft Edge Team

    Changed Status from “Fixed” to “Fixed, not yet flighted”

  • I am now experiencing this exact same error in porting an Android/IOS Cordova app to Windows 10 UWP. What is the status of this as it last shows “Fixed, not yet flighted” It seems that it is NOT fixed - is there a timeframe and/or work around.

  • As a workarround in our cordova apps we use this function whenever an uri/url starts with 'ms-appdata:///’:

    function loadLocalFileContent(uri, ready, error)
    {
        // win10 bug: ajax on ms-appdata://local/* fails
        // https://developer.microsoft.com/en-us/microsoft-edge/platform/issues/11995268/
    
        function readFile(fileEntry)
        {
    
            fileEntry.file(function (file)
            {
                var reader = new FileReader();
    
                reader.onloadend = function ()
                {
    
                    var result = this.result;
                    window.console.log("read file ",
                            {uri: uri, file: fileEntry, result: result});
                    ready(result);
                };
    
                reader.readAsText(file);
    
            }, error);
        }
    
        window.resolveLocalFileSystemURL(uri, readFile, error);
    }
  • Thanks that is great but my issue is a little harder - I am downloading hundreds of zip files which contain thousands of base64 strings which I write to an SQLite DB. I am struggling to open the file with the right contents to pass to the unzip code (which is a full JS implementation as Windows.IO.Compression cannot cope with zipped folders).

    The additional error which stops me from opening the download directly is that it appears the Edge UWP XMLHttpRequest object does not support passing cookie data when .withCredentials = true and hence I need to use cordova-plugin-file-transfer as I can set a Cookie header. The joy of this port goes on and on… I have tried readBinaryFile but did not blob it so will give this a go.

    I just wish the UWP team would have thought unzipping folders would be a good idea to support, XMLHttpRequest should be able to open the apps own files, etc. The lost goes on and on, thanks again for the code.

You need to sign in to your Microsoft account to add a comment.

Sign in