A security researcher demonstrated a technique that could allow attackers to steal files stored on a victim’s computer by downloading an HTML attachment and opening it locally on your browser.


The attack takes advantage of the way Firefox implements Same Origin Policy (SOP) for the “file://” scheme URI (Uniform Resource Identifiers), which allows any file in a folder on a system to get access to files in the same folder and subfolders.

Since the Same Origin Policy for the file scheme has not been defined clearly in the RFC by IETF, every browser and software have implemented it differently—some treating all files in a folder as the same origin whereas other treat each file as a different origin.

Firefox seems to be the only major browser that didn’t change its insecure implementation of Same Origin Policy (SOP) for File URI Scheme over time and also supports Fetch API over file protocol.