RE: DAP and security (was: Rename "File API" to "FileReader API"?)

My comments:

-----Original Message-----
From: Jonas Sicking [mailto:jonas@sicking.cc] 
Sent: 18 November 2009 20:15
To: David Rogers
Cc: Maciej Stachowiak; Marcin Hanclik; Dominique Hazael-Massieux; Robin
Berjon; public-device-apis@w3.org; public-webapps WG
Subject: Re: DAP and security (was: Rename "File API" to "FileReader
API"?)

On Wed, Nov 18, 2009 at 5:27 AM, David Rogers <david.rogers@omtp.org>
wrote:
> Hi Maciej,
>
> >From my side I'd like to understand what your thoughts and proposals
for file writing security / policy would entail - would you defer the
decision responsibility to the user via a prompt?

>From my point of view the answer is unfortunately "there are no simple
answers, it's always a judgement call".

[DAVID] So potentially that 'judgement' can be made by a third party who
has more expertise than the user, extended to allow for context etc. -
there would be lots of metadata to help with that from the policy
provider point-of-view.

For example for the geolocation the security model is basically:

1. Page asks for user position
2. User is faced with a non-modal dialog where he/she can answer yes
or no, or simply ignore the dialog
3. Only if the user answers "yes" then the position is returned to the
page.

In this case I think this was an acceptable solution.

[DAVID] Obvious answer to this - user clicks yes. Not acceptable. Given
that child protection is a use case for geolocation privacy, do you
think it is responsible to give a child that question?


If we added a directory API which gave access to a requested path on
the users hard drive we could use a similar security model:

1. Page asks user for permission to read/write to a specific
directory, say "C:\"
2. User is faced with a non-modal dialog where he/she can answer yes
or no, or simply ignore the dialog
3. Only if the user answeres "yes" a reference to the directory is
returned which the page can read from/write to.

This would *not* be an acceptable solution to me, despite being
basically identical to the geolocation case.

The reason is two-fold. I think it's easier to explain to the user
what the user is authorizing ("your location"), and if a user doesn't
understand and still clicks "yes", it has less catastrophic results.

[DAVID] There are lot of not-so tech-savvie people using the web, so
everything is on the table - you are assuming intelligence/knowledge
from the off.

For the directory API though, it's much harder to explain the decision
to the user. What's the "C:\" directory? What's the difference between
that and "C:\Documents and Settings\Jonas Sicking\My Images"? What's a
directory? Also, if a user clicks "yes" without understanding the
risks, that has catastrophic results if the directory in question is
"C:\" and read/write access is granted.

When it comes to security dialogs, the basic rule to keep in mind is
"Lots of people are not going to understand it and just click whatever
button they think will get stuff to work, or a random button".

[DAVID] Agreed.

/ Jonas

Received on Thursday, 19 November 2009 10:46:57 UTC