Re: [w3ctag/design-reviews] Moving local files with the File System Access API (Issue #805) from Austin Sullivan on 2023-07-12 (public-webapps-github@w3.org from July 2023)

From: Austin Sullivan <notifications@github.com>
Date: Wed, 12 Jul 2023 07:40:46 -0700
To: w3ctag/design-reviews <design-reviews@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3ctag/design-reviews/issues/805/1632654696@github.com>

> can you clarify what do you mean by "distinguish"

We now have the ability to say "this `FileSystemHandle` corresponds to a file in a bucket file system" (as opposed to the local file system). See https://fs.spec.whatwg.org/#filesystemhandle-is-in-a-bucket-file-system. 

I expected the `move()` method to be specified similarly to [the existing specification](https://fs.spec.whatwg.org/#:~:text=Run%20implementation%2Ddefined%20malware%20scans%20and%20safe%20browsing%20checks.%20If%20these%20checks%20fail%2C%20reject%20closeResult%20with%20an%20%22AbortError%22%20DOMException%20and%20abort%20these%20steps.) for running malware checks when closing a `FileSystemWritableFileStream`:

> Run [implementation-defined](https://infra.spec.whatwg.org/#implementation-defined) malware scans and safe browsing checks. If these checks fail, [reject](https://webidl.spec.whatwg.org/#reject) closeResult with an "[AbortError](https://webidl.spec.whatwg.org/#aborterror)" [DOMException](https://webidl.spec.whatwg.org/#idl-DOMException) and abort these steps.

"Implementation defined" is broad enough that each implementation could choose to skip malware checks for files in the bucket file system - which I expect is the case currently across all browsers. We could be explicit that these checks _must not_ run for files in the bucket file system (as I sketched out [above](https://github.com/w3ctag/design-reviews/issues/805#issuecomment-1614028832)). That would remove some theoretical flexibility on the part of the user agent, but in practice I don't expect that to be an issue (cc @jesup @szewai @annevk)

Meanwhile, there's the question @torgo posed about running security checks for local files ("necessary security guarantees"). From my perspective (please correct me if I'm misunderstanding), there are two pieces to this:

1. Can we specify these security checks in more detail, say [like downloads](https://html.spec.whatwg.org/#as-a-download)? (i.e. can we do better than just "implementation-defined"?)
2. Should we specify that security checks _must_ be run when saving or moving files on the local file system?

I don't think we want (2). See the non-normative language here: https://wicg.github.io/file-system-access/#security-malware

> user agents are encouraged to verify the contents of files modified by this API via malware scans and safe browsing checks, unless some kind of external strong trust relation already exists

The user agent should have the flexibility to skip security checks in some scenarios (e.g. the user agent can determine what qualifies as a "strong trust relation", how it's established, etc)

Regarding (1), I'm open to discussing adding more detail (and since this also affects the existing specification of `FileSystemWritableFileStream`, we may want to move this discussion to a new issue on the FS spec). But without (2) we can't _guarantee_ any security behaviors

-- 
Reply to this email directly or view it on GitHub:
https://github.com/w3ctag/design-reviews/issues/805#issuecomment-1632654696
You are receiving this because you are subscribed to this thread.

Message ID: <w3ctag/design-reviews/issues/805/1632654696@github.com>

Received on Wednesday, 12 July 2023 14:40:52 UTC