W3C home > Mailing lists > Public > whatwg@whatwg.org > April 2017

Re: [whatwg] Accessing local files with JavaScript portably and securely

From: duanyao <duanyao@ustc.edu>
Date: Mon, 17 Apr 2017 21:22:20 +0800
To: Roger Hågensen <rh_whatwg@skuldwyrm.no>, whatwg@lists.whatwg.org
Message-ID: <a4935ca9-d093-b00e-613c-b759bdd0829a@ustc.edu>
在 2017年04月17日 20:43, Roger Hågensen 写道:
> On 2017-04-17 13:53, duanyao wrote:
>> For single page application, browsers restrict `foo.html`'s permission
>> to `foo_files/` in the same parent directory. Note that it is already 
>> a common practice for browsers
>> to save a page's resource to a `xxx_files/` directory; browsers just 
>> need to grant the permission
>> of `xxx_files/`.
>
> I like that idea. But there is no need to treat single and multipage 
> differently is there?
>
>
> d:\documents\test.html
> d:\documents\test.html_files\page2.html
> d:\documents\test.html_files\page3.html
>
> This can handle multipage fine as well.
> Anything in the folder test.html_files is considered sandboxed under 
> test.html
The problem is, what if users open `test_files\page2.html`or 
`test_files\page3.html`directly? Can they access `test_files\config.json`?
This is to be solve by the "muli-page application" convention. By the 
way, the name of the directory is usually `foo_files`, not `foo.html_files`.

>
> This would allow a user (for a soundboard) to drop audio files into
> d:\documents\test.html_files\sounds\jingle\
> d:\documents\test.html_files\sounds\loops\
> and so on.
>
> And if writing ability is added to javasript then write permission 
> could be given to those folders (so audio files could be created and 
> stored without "downloading" them each time)
>
> I just checked what naming Chrome does and it uses the page title. I 
> can't recall what the other browsers do. And adds _files to it.
Chrome can be configured to ask for location when saving a page, then 
you can name it as you will.
The "xxx_files" convention was introduced by IE or Netscape long ago, 
and other browsers just follow it.

>
> So granting read/write/listing permissions for the html file to that 
> folder and it's subfolders would certainly make single page offline 
> apps possible.
Yeah, I think it is unlike harmful to allow write/listing permission as 
well.
>
> I have not tested how editing/adding to this folder affect things, 
> deleting the html file also deletes the folder (at least on Windows 
> 10, and I seem to recall on Windows 7 as well).
There is no magic link between `foo.html` and `foo_files/`, this is just 
a trick of Windows Explorer. You can change things by hand in that 
directory as you will.

> I'm not sure if a offline app needs the folder linked to the html file 
> or not.
> A web developer might create the folder manually in which case there 
> will be no link. And if zipped and moved to a different 
> system/downloaded by users then any such html and folder linking will 
> be lost as well.
>
> Maybe instead of d:\documents\test.html_files\
> d:\documents\test.html_data\ could be used?
> This would also distinguish it from the current user saved webpages.
>
>
>
Received on Monday, 17 April 2017 13:23:10 UTC

This archive was generated by hypermail 2.3.1 : Monday, 17 April 2017 13:23:10 UTC