When you load a file://
URL in an Android WebView or in the Android browser, what does it treat as the origin? What can the Javascript on that page access? Can it access other files in the same directory? Other files elsewhere on the device?
Background: I know that, in desktop browsers, the same-origin policy for file://
URLs has varied over time and from browser to browser. For instance, some browsers used to treat all file://
URLs as being within the same origin, so any one page could script all pages with the file
protocol. Today, I think some desktop browsers use the directory as the origin (e.g., file://a/b/c.html
is in the same origin as file://a/b/d.html
and they can script each other, but they are in a different origin from file://a/y/z.html
and cannot script it), while I think other browsers use the entire path as the origin (i.e., file://a/b/c.html
is in a different origin from file://a/b/d.html
and cannot script it or any other file
URL). What's the situation for the Android browser / the renderer used by Android WebViews?