Mobile // Mobile Applications
04:56 PM
Connect Directly

Google's Chrome Team Mulls Local File Restrictions

Google engineers are looking at extending Chrome's restrictions on local Web pages to further tighten the Web browser's security across a broader set of protocols.

Insider attacks tend to pose a greater computer security risk than external ones because insiders tend to be trusted with greater systems access privileges than outsiders, not to mention physical access to systems.

The situation is similar with local files on computers, which tend to be accorded greater privileges than remote files.

The engineers working on Google's Chrome browser have been wrestling with this very issue. The Chrome beta build released on Nov. 24 included a security fix for a vulnerability that allowed downloaded HTML files to read other local files and send them out to the Internet.

Part of the fix included preventing local files from connecting to the Web with an XMLHttpRequest(), a widely used means of sending text data from Web browsers to Web servers.

And Google is looking at extending this sort of restriction to further tighten browser security.

In a post on the Chromium Blog on Thursday, Google engineer Adam Barth suggested that Google is considering additional restrictions on local Web pages, such as directory-based restrictions or preventing local Web pages from sending information to the Internet across a broader set of protocols.

Different browsers approach local file rights in different ways. Microsoft Internet Explorer, for example, restricts local Web pages so they can't run JavaScript by default. However, Microsoft provides Internet Explorer users with the option to override this restriction through a yellow "infobar" that restores JavaScript functionality for local Web pages.

Google disagrees with this approach and takes a more paternalistic stance in Chrome. "We chose not to disable JavaScript with an 'infobar' override (like Internet Explorer) because most users do not understand the security implications of re-enabling JavaScript and simply re-enable it to make pages work correctly," Barth explained in his post.

One consequence of Google's disinclination to provide users with an override option in this instance is that Web developers may be inconvenienced in the future, as one of the comments on Barth's post suggests, by Chrome's potential inflexibility. Another consequence is that offline Web applications, like the open source TiddlyWiki, which relies on local HTML pages, could become less functional under a stronger set of restrictions.

Chrome, however, is a work in progress, and it remains to be seen how Google's security decisions will affect the browser's usability and security in future releases. Because Chrome comes from the open source Chromium project, those concerned about such issues may wish to participate in the development process, if they're not doing so already.

Comment  | 
Print  | 
More Insights
Building A Mobile Business Mindset
Building A Mobile Business Mindset
Among 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps and it's past time for those with no plans to get cracking.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest, Dec. 9, 2014
Apps will make or break the tablet as a work device, but don't shortchange critical factors related to hardware, security, peripherals, and integration.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of January 18, 2015.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.