Security Re: File IO... from Charles McCathieNevile on 2008-05-07 (public-webapi@w3.org from May 2008)

From: Charles McCathieNevile <chaals@opera.com>
Date: Wed, 07 May 2008 18:39:02 +0100
To: "Maciej Stachowiak" <mjs@apple.com>
Cc: "Web API WG (public)" <public-webapi@w3.org>
Message-ID: <op.uasoncizwxe0ny@pc085.coreteam.oslo.opera.com>

On Wed, 07 May 2008 16:47:06 +0100, Maciej Stachowiak <mjs@apple.com>  
wrote:

> On May 7, 2008, at 6:39 AM, Charles McCathieNevile wrote:
>
>>
>> Hi folks,
>>
>> Opera has a proposal for a specification that would revive (and  
>> supersede)
>> the file upload API that has been lingering so long as a work item.
>>
>> In a nutshell, it provides the ability for a web application to get a
>> filespace, by asking the user to identify such a space, and making it
>> available to that application something like a virtual file system.
>
> I am concerned about the security implications of this proposal. File  
> upload in HTML is based on the user explicitly selecting a particular  
> file. This has relatively low security risk, since the user is choosing  
> one specific file that he or she wishes to transmit, and all that can be  
> done with that file is upload its bytes.
>
> However, this API grants much more power than that.

Yep. That's the idea.
> Here are some of the more obvious security issues:
[several obviously interesting things]
> 6) Despite clearly having major security considerations, the document  
> has no Security Considerations section.

Indeed. (It also has no table of contents). There are obviously security  
issues any time you give access to something like the filesystem. That  
said, there are valuable use cases for access to the filesystem. The idea  
of standardising this currently rough proposal is that we identify and  
deal with those. An obvious approach would be to limit availability of  
this to "trusted content" for some definition of that (and different  
browsers currently have different definitions).

As a work item we can happily raise the security issues and provide  
guidance about what circumstances open what kinds of risk. Which is what  
we would like to do, as part of making the functionality available to  
application developers in some way.

cheers

Chaals

-- 
Charles McCathieNevile  Opera Software, Standards Group
     je parle français -- hablo español -- jeg lærer norsk
http://my.opera.com/chaals   Try Opera 9.5: http://snapshot.opera.com

Received on Wednesday, 7 May 2008 17:39:46 UTC