From feca5c4b807642c6b2ae446c5ea74518f8a114d9 Mon Sep 17 00:00:00 2001
From: Witold Filipczyk <witekfl@poczta.onet.pl>
Date: Mon, 31 Oct 2022 20:25:32 +0100
Subject: [PATCH] [xhr] Added bool option ecmascript.allow_xhr_file

---
 src/ecmascript/ecmascript.cpp       |  4 ++++
 src/ecmascript/mujs/xhr.cpp         |  8 ++++++--
 src/ecmascript/quickjs/xhr.cpp      | 20 ++++++--------------
 src/ecmascript/spidermonkey/xhr.cpp |  8 ++++++--
 test/ecmascript/ajax.html           |  4 ++--
 5 files changed, 24 insertions(+), 20 deletions(-)

diff --git a/src/ecmascript/ecmascript.cpp b/src/ecmascript/ecmascript.cpp
index 7ddd3ebe..54f24253 100644
--- a/src/ecmascript/ecmascript.cpp
+++ b/src/ecmascript/ecmascript.cpp
@@ -90,6 +90,10 @@ static union option_info ecmascript_options[] = {
 		"block_window_opening", OPT_ZERO, 0,
 		N_("Whether to disallow scripts to open new windows or tabs.")),
 
+	INIT_OPT_BOOL("ecmascript", N_("Allow XHR requests to local files"),
+		"allow_xhr_file", OPT_ZERO, 0,
+		N_("Whether to allow XHR requests to local files.")),
+
 	NULL_OPTION_INFO,
 };
 
diff --git a/src/ecmascript/mujs/xhr.cpp b/src/ecmascript/mujs/xhr.cpp
index 393a4e55..af497935 100644
--- a/src/ecmascript/mujs/xhr.cpp
+++ b/src/ecmascript/mujs/xhr.cpp
@@ -667,10 +667,14 @@ mjs_xhr_send(js_State *J)
 			mem_free(url2);
 		}
 	}
-	xhr->download.data = xhr;
-	xhr->download.callback = (download_callback_T *)mjs_xhr_loading_callback;
 
 	if (xhr->uri) {
+		if (xhr->uri->protocol == PROTOCOL_FILE && !get_opt_bool("ecmascript.allow_xhr_file", NULL)) {
+			js_pushundefined(J);
+			return;
+		}
+		xhr->download.data = xhr;
+		xhr->download.callback = (download_callback_T *)mjs_xhr_loading_callback;
 		load_uri(xhr->uri, doc_view->session->referrer, &xhr->download, PRI_MAIN, CACHE_MODE_NORMAL, -1);
 		if (xhr->timeout) {
 			set_connection_timeout_xhr(xhr->download.conn, xhr->timeout);
diff --git a/src/ecmascript/quickjs/xhr.cpp b/src/ecmascript/quickjs/xhr.cpp
index 2af9d0bd..16667c7b 100644
--- a/src/ecmascript/quickjs/xhr.cpp
+++ b/src/ecmascript/quickjs/xhr.cpp
@@ -1154,29 +1154,21 @@ xhr_send(JSContext *ctx, JSValueConst this_val, int argc, JSValueConst *argv)
 				done_uri(x->uri);
 				x->uri = get_uri(url2, URI_DIR_LOCATION | URI_PATH | URI_USER | URI_PASSWORD | URI_POST);
 				mem_free(url2);
-
-//                curl_easy_setopt(x->curl_h, CURLOPT_POSTFIELDSIZE, (long) size);
-//                curl_easy_setopt(x->curl_h, CURLOPT_COPYPOSTFIELDS, body);
 				JS_FreeCString(ctx, body);
 			}
 		}
-//        if (x->slist)
-//            curl_easy_setopt(x->curl_h, CURLOPT_HTTPHEADER, x->slist);
-//        if (x->async)
-//            curl_multi_add_handle(x->curlm_h, x->curl_h);
-//        else {
-//            CURLcode result = curl_easy_perform(x->curl_h);
-//            curl__done_cb(result, x);
-//        }
-		x->sent = true;
-		x->download.data = x;
-		x->download.callback = (download_callback_T *)x_loading_callback;
 
 		struct ecmascript_interpreter *interpreter = (struct ecmascript_interpreter *)JS_GetContextOpaque(ctx);
 		struct view_state *vs = interpreter->vs;
 		struct document_view *doc_view = vs->doc_view;
 
 		if (x->uri) {
+			if (x->uri->protocol == PROTOCOL_FILE && !get_opt_bool("ecmascript.allow_xhr_file", NULL)) {
+				return JS_UNDEFINED;
+			}
+			x->sent = true;
+			x->download.data = x;
+			x->download.callback = (download_callback_T *)x_loading_callback;
 			load_uri(x->uri, doc_view->session->referrer, &x->download, PRI_MAIN, CACHE_MODE_NORMAL, -1);
 			if (x->timeout) {
 				set_connection_timeout_xhr(x->download.conn, x->timeout);
diff --git a/src/ecmascript/spidermonkey/xhr.cpp b/src/ecmascript/spidermonkey/xhr.cpp
index 89cb4163..5294dab8 100644
--- a/src/ecmascript/spidermonkey/xhr.cpp
+++ b/src/ecmascript/spidermonkey/xhr.cpp
@@ -849,10 +849,14 @@ xhr_send(JSContext *ctx, unsigned int argc, JS::Value *rval)
 			mem_free(body);
 		}
 	}
-	xhr->download.data = xhr;
-	xhr->download.callback = (download_callback_T *)xhr_loading_callback;
 
 	if (xhr->uri) {
+		if (xhr->uri->protocol == PROTOCOL_FILE && !get_opt_bool("ecmascript.allow_xhr_file", NULL)) {
+			args.rval().setUndefined();
+			return true;
+		}
+		xhr->download.data = xhr;
+		xhr->download.callback = (download_callback_T *)xhr_loading_callback;
 		load_uri(xhr->uri, doc_view->session->referrer, &xhr->download, PRI_MAIN, CACHE_MODE_NORMAL, -1);
 		if (xhr->timeout) {
 			set_connection_timeout_xhr(xhr->download.conn, xhr->timeout);
diff --git a/test/ecmascript/ajax.html b/test/ecmascript/ajax.html
index 68e475d3..0d7a5a5d 100644
--- a/test/ecmascript/ajax.html
+++ b/test/ecmascript/ajax.html
@@ -9,10 +9,10 @@
 
 <script>
 function loadDoc() {
-  const xhttp = new XMLHttpRequest();
+  var xhttp = new XMLHttpRequest();
   xhttp.onload = function() {
     document.getElementById("demo").innerHTML =
-    this.responseText;
+    xhttp.responseText;
   }
   xhttp.open("GET", "ajax_info.txt");
   xhttp.send();