←back to thread

Reverse-engineering my speakers' API to get reasonable volume control

(jamesbvaughan.com)
287 points jamesbvaughan | 4 comments | 25 Jul 24 15:11 UTC | HN request time: 0.209s | source
1. Dwedit ◴[27 Jul 24 02:33 UTC] No.41084078[source]
What the hell browser makers... Make it so that file:// URLS are extremely locked down and doesn't have enough rights to even fetch files in the same directory (or even itself), yet grant localhost URLs full permissions...

There's a reason why local web applications aren't a collection of HTML and JS files, and are instead full copies of the Chromium browser.

replies(2): >>41084173 #>>41084188 #
2. NavinF ◴[27 Jul 24 03:01 UTC] No.41084173[source]
What are you talking about? The OP made requests from his Bun server. CORS would obviously break any request made directly from js in the browser
3. cyanmagenta ◴[27 Jul 24 03:06 UTC] No.41084188[source]
The difference is that file:// URLs can be opened by your grandparent opening a .html file that they downloaded, whereas http://localhost requires you to actually set up a web server.

Imagine double-clicking a malicious page.html and suddenly your entire Documents folder can be fetched and manipulated by JavaScript. Yikes.

But to your latter point, yeah, there’s no reason sandboxed web apps couldn’t be given better file:// permissions.

replies(1): >>41087107 #
4. recursive ◴[27 Jul 24 15:15 UTC] No.41087107[source]
This drives me nuts. <script src> works on file, but <script type=module src> does not. In order to use ESM imports from file:// you have to load the scripts from blob:// URLs. It seems crazy to me.