Firefox 68 does not run kiwix-js any more through file://

[mossroy]

I suspect it comes from some security improvements coming with this version.
I did not notice this issue in older versions of Firefox.
The issue is the same with the source code of tag 2.5.0, or the latest one.

Here are the symptoms I have :

• The glyphicons no longer display with the following error in the console :

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at file:///home/mossroy/git/kiwix-js/www/fonts/glyphicons-halflings-regular.ttf. (Reason: CORS request not http)

• Opening a ZIM file now fails with the following error in the console :

TypeError: iframeArticleContent.contentDocument is null

It fails the same with Chromium (and I seem to remember it was already the case before)

• Running the unit tests fails through file:// makes them fail with the following error in the console :

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at file:///home/mossroy/git/kiwix-js/tests/wikipedia_en_ray_charles_2015-06.zimaa. (Reason: CORS request not http)

I think we should try to mitigate this before releasing a version 2.6 (#525).
I don't think we have a way to really fix this : we probably can't bypass the security checks of the browser.
But we should at least change the note at the top of tests.html to indicate a local webserver is now necessary for Firefox too.
And, if it's possible, we should try to display a more meaningful message when this happens.

[Jaifroid]

It might be worth checking with #527, because that PR uses the latest Bootstrap, which has removed glyphicons, and uses SVG icons instead. It might solve this cross-origin issue.

[mossroy]

Yes, Bootstrap 4 might solve the cross-origin issue with icons on file://. But it won't solve the other ones.

All these issues come from https://www.mozilla.org/en-US/security/advisories/mfsa2019-21/#CVE-2019-11730, that has been fixed in Firefox 68.

I found on https://stackoverflow.com/questions/56999411/firefox-68-local-files-now-treated-as-cross-origin-is-there-a-way-to-override that it can be overridden by setting privacy.file_unique_origin to false in about:config : with this setting, everything is back to normal.
But, of course, it's not possible to set that automatically, and it would be a security breach.

I think we should :

• document that situation, and the workaround (at least at the beginning of tests.html) with some security warnings
• see if we can detect this in kiwix-js (maybe by testing if iframeArticleContent.contentDocument is defined in app.js), and display a meaningful error message if the problem occurs (with the solutions we know : go through a webserver, use as a browser extension or app, use the workarounds for each browser)