[tbb-dev] window.localStorage and .sessionStorage deliberately broken for file:// URLs?

dev942 at sigaint.org dev942 at sigaint.org
Sat Feb 20 09:17:31 UTC 2016

I'm working on an application that's distributed as a single HTML file
containing JavaScript, intended to be saved locally. The JavaScript then
makes various XMLHttpRequests to the network, to provide security
properties that a normal web application can't. That's kind of hacky (vs.
doing it as a browser extension or whatever), but I was hoping that would
make it easy to install in hardened, mostly-read-only OS installations.

That works in stock Firefox. It doesn't work in Tor Browser, because
window.localStorage (and .sessionStorage) fail for file:// URLs.

Is that deliberate? They work for http:// and https:// URLs, so it doesn't
seem like a security decision.


More information about the tbb-dev mailing list