reading local file resources is still allowed if the enclosing docume…

…nt itself was loaded from file (#786)
HtmlUnit · May 14, 2024 · e104703 · e104703
1 parent 107dbe3
commit e104703
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 3 deletions.
diff --git a/src/changes/changes.xml b/src/changes/changes.xml
@@ -22,7 +22,8 @@
                 Make HtmlElement.type() allow full-width space (\u3000), six-per-em space (\u2006) and tab (\t) characters.
             </action>
             <action type="update" dev="Lai Quang Duong">
-                Prevent iframes from loading local resource for security reason.
+                Prevent iframes from loading local resource for security reason (reading local file resources is still allowed
+                if the enclosing document itself was loaded from file).
             </action>
             <action type="update" dev="Lai Quang Duong">
                 Prevent XMLHttpRequest from loading local resource for security reason.

diff --git a/src/main/java/org/htmlunit/html/BaseFrameElement.java b/src/main/java/org/htmlunit/html/BaseFrameElement.java
@@ -191,14 +191,15 @@ private void loadInnerPageIfPossible(final String src) throws FailingHttpStatusC
                 return;
             }
 
+            final URL pageUrl = page.getUrl();
+
             // accessing to local resource is forbidden for security reason
-            if ("file".equals(url.getProtocol())) {
+            if (!"file".equals(pageUrl.getProtocol()) && "file".equals(url.getProtocol())) {
                 notifyIncorrectness("Not allowed to load local resource: " + source);
                 return;
             }
 
             final Charset pageCharset = page.getCharset();
-            final URL pageUrl = page.getUrl();
             final WebRequest request = new WebRequest(url, pageCharset, pageUrl);
 
             if (isAlreadyLoadedByAncestor(url, request.getCharset())) {