It appears that Safari does not enforce any kind of access restrictions for XMLHTTPRequests on FILE: scheme URLs. As a result, any HTML file on the local file system that is opened in
Safari can read any file that the user has access to (and, of course, it can upload those files too). A little PoC here...... https://gist.github.com/rongarret/d8987c9cd57bd768e1de
Safari can read any file that the user has access to (and, of course, it can upload those files too). A little PoC here...... https://gist.github.com/rongarret/d8987c9cd57bd768e1de