W3C home > Mailing lists > Public > public-webapi@w3.org > May 2008

Re: Security Re: File IO...

From: Arve Bersvendsen <arveb@opera.com>
Date: Thu, 08 May 2008 09:18:23 +0100
To: "Maciej Stachowiak" <mjs@apple.com>, "Charles McCathieNevile" <chaals@opera.com>
Cc: "Web API WG (public)" <public-webapi@w3.org>
Message-ID: <op.uattcvoybyn2jm@galactica>

On Wed, 07 May 2008 20:57:25 +0100, Maciej Stachowiak <mjs@apple.com>  
wrote:

> They both said that this proposal was only meant for things like  
> widgets, and agreed with my assessment that it would be a giant security  
> hole if exposed to web content.

Without commenting further: Yes, in its current incarnation it raises  
security concerns, but what I meant to say was more "Our primary use case,  
and concerns that we have put into the initial proposal are centered  
around locally installed web applications, aka widgets".

I would not exclude making a subset of the proposal available to web  
applications though. Note that the current proposal speaks of FileStreams  
-- ideally, these should be generic IOStreams, and should apply to other  
protocols than "mountpoint" or "file".  Think scratch areas, webdav/svn  
integration, file upload with folder watch (but the method of doing so  
would have to be well-defined and more secure).  The initial proposal is  
not meant to cover this, but a properly worked out, future revision could  
cover both.

-- 
Arve Bersvendsen

Developer, Opera Software ASA, http://www.opera.com/
Received on Thursday, 8 May 2008 08:19:42 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 8 May 2008 08:19:43 GMT