- From: Maciej Stachowiak <mjs@apple.com>
- Date: Tue, 10 Nov 2009 17:47:50 -0800
- To: Robin Berjon <robin@berjon.com>
- Cc: public-device-apis@w3.org, public-webapps WG <public-webapps@w3.org>
On Nov 10, 2009, at 3:09 AM, Robin Berjon wrote: > On Nov 10, 2009, at 11:27 , Maciej Stachowiak wrote: >> On Nov 10, 2009, at 2:01 AM, Arve Bersvendsen wrote: >> On Tue, 10 Nov 2009 10:59:23 +0100, Adam Barth <w3c@adambarth.com> >> wrote: >>> >>>> Which is the proper mailing list to follow development of the file >>>> writing API? I'd like to follow it's security considerations. >>> >>> public-device-apis@w3.org >> >> At TPAC, I recall that we proposed drawing the line between file >> reading/writing on the one hand (presumably to go in the current >> File API spec) and filesystem access (including messing with >> directories, mountpoints, file renames etc) to be done in the >> Filesystem API spec. Do we need further discussion to settle what >> goes in which spec? > > No, we agreed that File Reader would keep going on in WebApps > because there's no reason to move something that's making progress > (unless Arun wants to move it, he's in both WGs anyway), but that > the rest would be done in DAP since it's more security sensitive and > new (and chartered there). I don't recall agreeing to that. I remember that we discussed multiple options, and I do not believe there was a resolution recorded along the lines of what you say. (But if I'm wrong, I guess the minutes will show. I think file writing (once the script has securely received a file handle) has different security considerations than directory manipulation and opening of arbitrary files. File writing should be designed with the browser security model in mind, because it's something that is reasonable to expose to Web content, given the right model for getting a writable handle (private use area or explicitly chosen by the user via "Save As" dialog). I think directory manipulation and opening of arbitrary files can't be fit into that security model and has to rely on a "widget security model" where there is an overall user trust decision. I would be concerned with leaving file writing to DAP, because a widely held view in DAP seems to be that security can be ignored while designing APIs and added back later with an external "policy file" mechanism. I would also be concerned with tying file writing to directory manipulation, because I think the former is reasonable to do in browsers and not the latter. Perhaps this means that we need three specs? Regards, Maciej
Received on Wednesday, 11 November 2009 01:48:26 UTC