"styles/[FILE.EXT]"
Some text.
"[FILE.EXT]"
Some text.
"../[FILE.EXT]"
Some text. (Fails on Firefox)
On a local filesystem, when loading an HTML page, any image on the hard drive, regardless of where it is relative to the HTML or CSS file, can be displayed on the page, and can therefore be accessed by that page. Font files, on the other hand, will only be displayable if found in a directory at or below the directory containing the referencing HTML file (not the referencing CSS file).
This causes problems for local development because custom fonts and icon fonts will not load locally under normal directory development conditions. The two issues related to this (760436 and 230606) indicate that the font blocking is by design, but this "security policy" does nothing about loading arbitrary image files from the user's hard drive.
The ability to access arbitrary image files on a user's hard drive by the local filesystem is FAR more dangerous than font loading because image files are more personal/privacy-sensitive than fonts and image filename conventions and locations are more easily guessed.
Either image usage by Firefox on the local filesystem needs to be blocked the same way as fonts are, or the font loading restriction by CSS need to be lifted. Anything else represents an inconsistency and a false-promise of security.
Firefox is the only modern browser with this font restriction. Chrome, Safari, Opera, and IE11 do not limit fonts this way.
| Image Background | Image Border | Font-Face | Img Tag | |
|---|---|---|---|---|
|
Below HTML Directory
"styles/[FILE.EXT]" |
Some text.
|
| ||
|
Same As HTML Directory
"[FILE.EXT]" |
Some text.
|
| ||
|
Above HTML Directory
"../[FILE.EXT]" |
Some text. (Fails on Firefox)
|
|