W3C home > Mailing lists > Public > public-webapi@w3.org > May 2008

Re: File IO...

From: Boris Zbarsky <bzbarsky@MIT.EDU>
Date: Wed, 07 May 2008 14:14:52 -0500
Message-ID: <4821FFAC.3040905@mit.edu>
To: Scott Shattuck <idearat@mindspring.com>
CC: "Web API WG (public)" <public-webapi@w3.org>

Scott Shattuck wrote:
> This is possible today on IE and Mozilla with a single user-visible 
> security prompt.

That's only the case in Mozilla if:

1) The script is running at a file:// URI


2) The user has changed a hidden preference to allow random
    sites to put up this prompt.


3) The site is in a signed jar.  In particular, in this situation
    the user has a bit more of an idea of "who" the site is than
    in most cases.

Note that there are likely to be more restrictions placed on this functionality 
in the future (possibly including removing it altogether).

> Once answered this functionality is accessible.

Temporarily, yes.  The permissions grant is for the lifetime of the JS stack 
frame the request was made in, unless the user selects the "remember this 
decision" checkbox.

> "Remember this decision" to the above prompt.

Yes, but that's a very clear decision on the user's part.  And again, it's 
something that's subject to change.  It's certainly not something that we feel 
is particularly great security.

Received on Wednesday, 7 May 2008 19:15:33 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:16:26 UTC