Am 03.07.2011 02:42, schrieb Sam Varshavchik:
What you're missing is that a remote server's ability to instruct your web browser to open the contents of file:/// URL is limited to precisely that: your web browser opening and displaying the contents of file:///. The remote server's javascript has no means of accessing the contents of file:///. Once your web browser opens file:///, the previous page from the remote server is closed, together with all the javascript that was in it.
If file:/// gets opened in a separte window or a tab, as can be done, the javascript running from another window or tab still has no means of accessing the contents of another scope, as well. Javascript can only access resources that originate from the same scope.
This is a well-understood security model. There have been isolated instances in the past, where flaws were discovered in some individual browser's security model that allowed some mechanism for running Javascript to access content from another scope; occasionally a common flaw was found that was shared by several browsers.
Barring your wonderrouter leveraging some hereto unknown security exploit, all that your wonderrouter is doing is the equivalent of the HTML that reads
<a href="file:///">Y0U h4ve b33n p0wned</a>
my conclusion is that JD is one of two types of people:
* troll starting useless flamewar * learning resistent idiot without any technical understanding
in the worst case both of it