Insider attacks tend to pose a greater computer security risk than external ones because insiders tend to be trusted with greater systems access privileges than outsiders, not to mention physical access to systems.
The situation is similar with local files on computers, which tend to be accorded greater privileges than remote files.
The engineers working on Google's Chrome browser have been wrestling with this very issue. The Chrome beta build released on Nov. 24 included a security fix for a vulnerability that allowed downloaded HTML files to read other local files and send them out to the Internet.
Part of the fix included preventing local files from connecting to the Web with an
XMLHttpRequest(), a widely used means of sending text data from Web browsers to Web servers.
And Google is looking at extending this sort of restriction to further tighten browser security.
In a post on the Chromium Blog on Thursday, Google engineer Adam Barth suggested that Google is considering additional restrictions on local Web pages, such as directory-based restrictions or preventing local Web pages from sending information to the Internet across a broader set of protocols.
One consequence of Google's disinclination to provide users with an override option in this instance is that Web developers may be inconvenienced in the future, as one of the comments on Barth's post suggests, by Chrome's potential inflexibility. Another consequence is that offline Web applications, like the open source TiddlyWiki, which relies on local HTML pages, could become less functional under a stronger set of restrictions.
Chrome, however, is a work in progress, and it remains to be seen how Google's security decisions will affect the browser's usability and security in future releases. Because Chrome comes from the open source Chromium project, those concerned about such issues may wish to participate in the development process, if they're not doing so already.