Re: Security Re: File IO...

On May 8, 2008, at 1:18 AM, Arve Bersvendsen wrote:

> On Wed, 07 May 2008 20:57:25 +0100, Maciej Stachowiak  
> <mjs@apple.com> wrote:
>
>> They both said that this proposal was only meant for things like  
>> widgets, and agreed with my assessment that it would be a giant  
>> security hole if exposed to web content.
>
> Without commenting further: Yes, in its current incarnation it  
> raises security concerns, but what I meant to say was more "Our  
> primary use case, and concerns that we have put into the initial  
> proposal are centered around locally installed web applications, aka  
> widgets".
>
> I would not exclude making a subset of the proposal available to web  
> applications though. Note that the current proposal speaks of  
> FileStreams -- ideally, these should be generic IOStreams, and  
> should apply to other protocols than "mountpoint" or "file".  Think  
> scratch areas, webdav/svn integration, file upload with folder watch  
> (but the method of doing so would have to be well-defined and more  
> secure).  The initial proposal is not meant to cover this, but a  
> properly worked out, future revision could cover both.

I would be happy to review a proposal that is intended for Web  
content, once one is available.

Regards,
Maciej

Received on Thursday, 8 May 2008 09:52:00 UTC