Hi,

this is the blocked content the configuration of access to the content must be modified as follows

https://support.mozilla.org/en-US/kb/content-blocking

I am trying to load a local file on my C drive, not from a web site. These instructions apply to web sites. How do I grant permissions for reading local files with embedded javascript?

Hi VinceVega, Firefox 68 has a new security patch which limits file:// pages from loading some types of content from file:// URLs. Could you check the Web Console to see whether that is the issue in your case. Here's how:

You can open the Web Console in the lower part of the tab using either:

• "3-bar" menu button > Web Developer > Web Console
• (menu bar) Tools > Web Developer > Web Console
• (Windows) Ctrl+Shift+k

Then reload the page in the upper part of the tab and watch for error or security messages. In particular, do you see

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at file:///<your URL> (Reason: CORS request not http).

Or something else?

These are the errors that I get when I try to load the local html file with javascript. Note the char encoding of the HTML is declared:

<meta http-equiv="content-type" content="text/html"> <meta http-equiv="charset" content="UTF-8"> <title>wwhelp_entry.html</title> <script type="text/javascript" language="JavaScript1.2"> . . . ------------------------------------------------------------------- The character encoding of the HTML document was not declared. The document will render with garbled text in some browser configurations if the document contains characters from outside the US-ASCII range. The character encoding of the page must be declared in the document or in the transfer protocol. wwhelp.htm The character encoding of the HTML document was not declared. The document will render with garbled text in some browser configurations if the document contains characters from outside the US-ASCII range. The character encoding of the page must be declared in the document or in the transfer protocol. api.htm The character encoding of the HTML document was not declared. The document will render with garbled text in some browser configurations if the document contains characters from outside the US-ASCII range. The character encoding of the page must be declared in the document or in the transfer protocol. wwhsec.htm The character encoding of the HTML document was not declared. The document will render with garbled text in some browser configurations if the document contains characters from outside the US-ASCII range. The character encoding of the page must be declared in the document or in the transfer protocol. switch.htm The character encoding of the HTML document was not declared. The document will render with garbled text in some browser configurations if the document contains characters from outside the US-ASCII range. The character encoding of the page must be declared in the document or in the transfer protocol. wwhelp.htm SecurityError: Permission denied to access property "WWHBrowser" on cross-origin object </p></script>

Hi VinceVega, I'm not concerned about the character encoding warning. What do you think triggered this last one:

SecurityError: Permission denied to access property "WWHBrowser" on cross-origin object

Does the page use a script to load or switch pages in frames or iframes?

Yes, it does.

Here's the complete file:

<meta http-equiv="content-type" content="text/html"> <meta http-equiv="charset" content="UTF-8"> <title>wwhelp_entry.html</title> <script type="text/javascript" language="JavaScript1.2"> <!-- function WWHHelpFrame_LaunchHelp() { var BaseURL, Parameters, Parts; // Process URL parameters // BaseURL = window.location.href; Parameters = ""; if (BaseURL.indexOf("?") !== -1) { Parts = BaseURL.split("?"); BaseURL = Parts[0]; Parameters = "?" + Parts[1]; } else if (BaseURL.indexOf("#") !== -1) { Parts = BaseURL.split("#"); BaseURL = Parts[0]; Parameters = "#" + Parts.slice(1).join("#"); } BaseURL = BaseURL.substring(0, BaseURL.lastIndexOf("/")); // Sanitize parameters // Parameters = Parameters.replace(/[\\<>:;"']|%5C|%3C|%3E|%3A|%3B|%22|%27/gi, ""); window.setTimeout(function () { window.location.replace(BaseURL + "/wwhelp/wwhimpl/common/html/switch.htm" + Parameters); }, 1); } // --> </script>

I don't know if this is relevant to your files, but at least one help system used to work differently in Firefox vs. Chrome because Firefox offered more scriptability with local files in Firefox 67 and earlier. They plan to change to treating them the same going forward: https://discourse.mozilla.org/t/firefox-68-local-files-now-treated-as-cross-origin-1558299/42493

Whoops, our posts crossed.

Firefox 68 contains a security patch which restricts the kinds of files that pages can load (and methods of loading) when you open them from a file:// URL. This change was made to prevent exfiltration of valuable data within reach of a local page, as demonstrated in an available exploit. More info: https://developer.mozilla.org/docs/Web/HTTP/CORS/Errors/CORSRequestNotHttp

For now, to make your help system work on file:// URLs, you can roll back the patch as follows:

(1) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button promising to be careful or accepting the risk.

(2) In the search box above the list, type or paste uniq and pause while the list is filtered

(3) Double-click the privacy.file_unique_origin preference to switch the value from true to false

To mitigate the vulnerability: If you save pages from untrusted sites in a separate folder, e.g., Downloads\Untrusted, then it would be difficult for an attacker to find any valuable content using local file links.

Thanks so much for the workaround!