touch-packages team mailing list archive

[Olivier Tilloy <olivier.tilloy@xxxxxxxxxxxxx>]

> In any other browser I know, both work. If necessary,
> the browser adds the 2 missing slashes.

If browsing the local filesystem was allowed, this could easily be
implemented, of course.


> Huh? Could you explain how this improves security? As far as I can
> see, it encourages users to set up a local web server, potentially
> broadcasting confidential files to the local area, rather than keeping
> them on the phone.

Ubuntu touch’s security model confines applications so that they can’t gain access to other applications’ data and files. The browser is no exception, thus it is not allowed to browse the local filesystem.
See https://wiki.ubuntu.com/SecurityTeam/Specifications/ApplicationConfinement for a detailed specification.

This is meant to protect the average phone user against malicious applications.
If a user knows how to set up a local web server, they supposedly know what they are doing, and it’s their responsibility to ensure that they’re not giving away access to all their files to the outer world.


> Btw, other phone browsers, such as Android, do allow this.

Last time I checked, it didn’t. That was a while ago though, things
might have changed. Android has a rather different security model
though.


> If this is not a big effort to implement, please do, or at least until
> bug #1516220 is fixed.

As I wrote earlier, this is not a bug, it’s a (security) feature. So the confinement rules won’t be relaxed.
If you have a strong case against this decision, I encourage you to raise the topic on the ubuntu-phone mailing list, where the security team can participate in the discussion.

Please avoid confirming your own bug reports. Thanks for your time and
bug reports, keep them coming!

** Changed in: webbrowser-app (Ubuntu)
       Status: Confirmed => Invalid

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to webbrowser-app in Ubuntu.
https://bugs.launchpad.net/bugs/1516249

Title:
  file:/ URLs not supported

Status in webbrowser-app package in Ubuntu:
  Invalid

Bug description:
  file:/ URLs are not suported (... instead it passes it on to google
  when entered into URL bar, or raises a "network error" when followed
  from a page)

  Being able to browser local html pages would be handy to work around
  bug #1516220 (lack of form completion or password manager), because
  that way could could store pre-filled forms somewhere on your home
  directory.

  Well it is still possible to pull of this workaround, but it requires
  installing nginx (... and configuring it correctly to prevent people
  on the same Wifi from snarfing your password-containing templates...)

  phablet@ubuntu-phablet:~/public_html$ lsb_release -rd
  Description:    Ubuntu 15.04
  Release:        15.04
  phablet@ubuntu-phablet:~/public_html$ apt-cache policy webbrowser-app
  webbrowser-app:
    Installed: 0.23+15.04.20151103-0ubuntu1
    Candidate: 0.23+15.04.20151103-0ubuntu1
    Version table:
   *** 0.23+15.04.20151103-0ubuntu1 0
         1001 http://ppa.launchpad.net/ci-train-ppa-service/stable-snapshot/ubuntu/ vivid/main armhf Packages
          100 /var/lib/dpkg/status
       0.23+15.04.20150416-0ubuntu1 0
          500 http://ports.ubuntu.com/ubuntu-ports/ vivid/main armhf Packages

  What I expected to happen:
    Visiting file:/ should show me a directory view of the root directory of the device

  What happened instead:
    The phone passed the string file:/ on to google... D'oh... :-(

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/webbrowser-app/+bug/1516249/+subscriptions