Re: DAP and security (was: Rename "File API" to "FileReader API"?)

This is a good point, and an argument for "policy" rather than  
implicit user consent, if I'm not mistaken. It highlights that  
usability might also be an issue with the non-modal interaction  
model,  as well as not always be very meaningful (since I the user  
might have no idea what most directories are for or where to  
navigate). Arbitrary directory navigation for writing files is not a  
good idea.

More importantly we have to be careful with analogies.


regards, Frederick

Frederick Hirsch
Nokia



On Nov 18, 2009, at 3:14 PM, ext Jonas Sicking wrote:

> On Wed, Nov 18, 2009 at 5:27 AM, David Rogers  
> <david.rogers@omtp.org> wrote:
>> Hi Maciej,
>>
>>> From my side I'd like to understand what your thoughts and  
>>> proposals for file writing security / policy would entail - would  
>>> you defer the decision responsibility to the user via a prompt?
>
>> From my point of view the answer is unfortunately "there are no  
>> simple
> answers, it's always a judgement call".
>
> For example for the geolocation the security model is basically:
>
> 1. Page asks for user position
> 2. User is faced with a non-modal dialog where he/she can answer yes
> or no, or simply ignore the dialog
> 3. Only if the user answers "yes" then the position is returned to  
> the page.
>
> In this case I think this was an acceptable solution.
>
> If we added a directory API which gave access to a requested path on
> the users hard drive we could use a similar security model:
>
> 1. Page asks user for permission to read/write to a specific
> directory, say "C:\"
> 2. User is faced with a non-modal dialog where he/she can answer yes
> or no, or simply ignore the dialog
> 3. Only if the user answeres "yes" a reference to the directory is
> returned which the page can read from/write to.
>
> This would *not* be an acceptable solution to me, despite being
> basically identical to the geolocation case.
>
> The reason is two-fold. I think it's easier to explain to the user
> what the user is authorizing ("your location"), and if a user doesn't
> understand and still clicks "yes", it has less catastrophic results.
>
> For the directory API though, it's much harder to explain the decision
> to the user. What's the "C:\" directory? What's the difference between
> that and "C:\Documents and Settings\Jonas Sicking\My Images"? What's a
> directory? Also, if a user clicks "yes" without understanding the
> risks, that has catastrophic results if the directory in question is
> "C:\" and read/write access is granted.
>
> When it comes to security dialogs, the basic rule to keep in mind is
> "Lots of people are not going to understand it and just click whatever
> button they think will get stuff to work, or a random button".
>
> / Jonas
>

Received on Thursday, 19 November 2009 01:14:30 UTC