Re: Security evaluation of an example DAP policy

On Nov 20, 2009, at 01:26 , Maciej Stachowiak wrote:
>> For what it's worth, I think any API that opened a dialog asking the
>> user "Do you want to give website X access to directory Y in your file
>> system" would not be an API we'd be willing to implement in firefox.
>> I.e. our security policy would be to always deny such a request (thus
>> making implementing the API useless for our users).
> 
> Ditto for Safari.

That's good, because it's not part of the plan to do such a thing. The writer level for the File API, which I'm tasked to draft up, certainly doesn't plan any such thing.

There is interest in a Directory level, but it's lower. And I would expect it to only be available to widgets, or /perhaps/ to some sort of virtual local file system accessed through a localFS object à la localStorage (with quotas, security considerations that UAs shouldn't implement that by actually storing files on the FS as that could open up a bunch of issues, etc.).

-- 
Robin Berjon - http://berjon.com/

Received on Friday, 20 November 2009 16:39:23 UTC