Re: [whatwg] Accessing local files with JavaScript portably and securely from duanyao on 2017-04-12 (public-whatwg-archive@w3.org from April 2017)

From: duanyao <duanyao@ustc.edu>
Date: Wed, 12 Apr 2017 13:07:50 +0800
To: Gregg Tavares <gman@chromium.org>, WHAT Working Group <whatwg@whatwg.org>
Message-ID: <0949b968-289e-fa3a-6326-b744f4905eec@ustc.edu>

We should be aware of the security risks when recommand a "simple web 
server".

* Most (if not all) simple web servers don't block access from non-local 
hosts by default,
   which can leak users' files.  Although your firewall can block them 
for you, users do need unblock
   non-local hosts sometimes (e.g. test with a smart phone), so some may 
have whitelisted the
   server anyway.

* Even if non-local hosts are blocked, non-current users'(in the same 
OS) access can't be blocked
   easily by a web server. In contrast, file:// access is subject to 
file permission check.

* Most (if not all) simple web servers are hobby projects so probabaly 
lacks enough security audit.
   E.g. How urls like "/foo/../../../bar" are handled to prevent 
escaping from the root directory?

Those risks may be non-issue for experienced developers, but do affect 
newbie developers
and normal users. So In my opinion, it is much better to improve and 
standardize file-url
handling in browsers.

Regards,

Duan, Yao

在 2017年04月10日 04:33, Gregg Tavares 写道:
> I know this doesn't address your CD-ROM/USB stick situation but FYI...
>
> for the dev situation there are many *SUPER* simple web servers
>
> https://greggman.github.io/servez/
>
> https://github.com/cortesi/devd/
>
> https://github.com/indexzero/http-server/
>
> https://docs.python.org/2/library/simplehttpserver.html  (not recommended,
> haven't tried the python 3 one)
>
> https://chrome.google.com/webstore/detail/web-server-for-chrome/ofhbbkphhbklhfoeikjpcbhemlocgigb?hl=en
>   (soon to be deprecated)
>
> more here
> http://stackoverflow.com/questions/12905426/what-is-a-faster-alternative-to-pythons-http-server-or-simplehttpserver
>
> On Mon, Apr 10, 2017 at 4:36 AM, Jan Tosovsky<jan.tosovsky.cz@gmail.com>
> wrote:
>
>> On 2017-04-09 David Kendal wrote:
>>> ... there are many possible uses for local static files accessing
>>> other local static files: the one I have in mind is shipping static
>>> files on CD-ROM or USB stick...
>> In this case the file structure is fixed so it can be exported as JSON
>> file and then linked via the HTML header in every HTML file where it is
>> needed. This structure is then directly available for the further
>> processing.
>>
>> However, I am not sure this covers your use case.
>>
>> Jan
>>
>>

Received on Wednesday, 12 April 2017 05:09:11 UTC