W3C home > Mailing lists > Public > public-webapi@w3.org > May 2008

Re: Security Re: File IO...

From: Maciej Stachowiak <mjs@apple.com>
Date: Thu, 8 May 2008 02:51:20 -0700
Cc: Charles McCathieNevile <chaals@opera.com>, "Web API WG (public)" <public-webapi@w3.org>
Message-Id: <C2B1FAA9-CF77-4D4F-B5E2-0C15F708ECDD@apple.com>
To: Arve Bersvendsen <arveb@opera.com>


On May 8, 2008, at 1:18 AM, Arve Bersvendsen wrote:

> On Wed, 07 May 2008 20:57:25 +0100, Maciej Stachowiak  
> <mjs@apple.com> wrote:
>
>> They both said that this proposal was only meant for things like  
>> widgets, and agreed with my assessment that it would be a giant  
>> security hole if exposed to web content.
>
> Without commenting further: Yes, in its current incarnation it  
> raises security concerns, but what I meant to say was more "Our  
> primary use case, and concerns that we have put into the initial  
> proposal are centered around locally installed web applications, aka  
> widgets".
>
> I would not exclude making a subset of the proposal available to web  
> applications though. Note that the current proposal speaks of  
> FileStreams -- ideally, these should be generic IOStreams, and  
> should apply to other protocols than "mountpoint" or "file".  Think  
> scratch areas, webdav/svn integration, file upload with folder watch  
> (but the method of doing so would have to be well-defined and more  
> secure).  The initial proposal is not meant to cover this, but a  
> properly worked out, future revision could cover both.

I would be happy to review a proposal that is intended for Web  
content, once one is available.

Regards,
Maciej
Received on Thursday, 8 May 2008 09:52:00 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Thursday, 8 May 2008 09:52:00 GMT