Re: DAP and security (was: Rename "File API" to "FileReader API"?)

On Thu, Nov 19, 2009 at 2:49 AM, David Rogers <david.rogers@omtp.org> wrote:
> -----Original Message-----
> From: public-device-apis-request@w3.org [mailto:public-device-apis-request@w3.org] On Behalf Of Adam Barth
> Sent: 19 November 2009 07:42
> To: Marcin Hanclik
> Cc: Maciej Stachowiak; Dominique Hazael-Massieux; Robin Berjon; public-device-apis@w3.org; public-webapps WG
> Subject: Re: DAP and security (was: Rename "File API" to "FileReader API"?)
>
> I'm skeptical that this approach will lead to a secure API for file
> access.  Abstracting the problem doesn't make the security challenges
> any easier.  The reason the HTML file upload control has been such a
> successful secure API for reading files is because the security issues
> are specifically *not* abstracted.  The entire API is designed around
> the security considerations and eliciting user consent in a
> easy-to-understand way.
>
> I suspect we'll need a similarly clever API design to address the
> security challenges of letting web content write to the user's file
> system.
>
> [DAVID] I would hope that we can come up with some clever API design in terms of safe logic. However, this does not solve the whole problem, at some point you need to make a decision / judgement call.

Really?  What decision / judgement call do we need to make for the
file upload control?  What decision / judgement call do we need to
make for the video tag?

> What the policy advocates are proposing is to advance the whole discipline here - let's improve this by adding strength in depth and allow the user to defer their decision to someone who they trust, who is willing to take the decision for them.

You're not listening to the folks on this thread who are telling you
that this model has been tried and failed.  At best this is a science
experiment.  Writing web standards is a terrible way to run a science
project.

Adam

Received on Thursday, 19 November 2009 15:47:35 UTC