Re: File IO...

Scott Shattuck wrote:
> This is possible today on IE and Mozilla with a single user-visible 
> security prompt.

That's only the case in Mozilla if:

1) The script is running at a file:// URI

   or

2) The user has changed a hidden preference to allow random
    sites to put up this prompt.

   or

3) The site is in a signed jar.  In particular, in this situation
    the user has a bit more of an idea of "who" the site is than
    in most cases.

Note that there are likely to be more restrictions placed on this functionality 
in the future (possibly including removing it altogether).

> Once answered this functionality is accessible.

Temporarily, yes.  The permissions grant is for the lifetime of the JS stack 
frame the request was made in, unless the user selects the "remember this 
decision" checkbox.

> "Remember this decision" to the above prompt.

Yes, but that's a very clear decision on the user's part.  And again, it's 
something that's subject to change.  It's certainly not something that we feel 
is particularly great security.

-Boris

Received on Wednesday, 7 May 2008 19:15:33 UTC