Use Cases and Requirements for Saving Files Securely

Hi, Folks-

During the TPAC joint meeting between the WebApps and DAP WGs, we 
discussed security policies and use cases and requirements around saving 
files in different scenarios: public web resources (web pages and apps), 
widgets, mobile device and desktop browsers, locally-installed 
applications, etc. [1]

To kick this thread off, I'd like to suggest the trust model that 
already exists for local applications and browsers, which is to open a 
modal dialog that allows the user to select the file the application can 
save to; for webapps, I suggest the extra security consideration we add 
is to have the file hook which is returned is completely opaque (as far 
as the directory and file name) to the web app, and it just knows where 
to write.  Further, we should limit the upper bounds of the file size. 
I don't have any thoughts about auto-save across sessions, but it should 
be addressed (probably not allowed).

This could be evoked through the UI convention of a file dialog, or just 
as a bare API (if the user preferences allow the API to ask about saving 
files).  In any case, it should never be a "cool" webapp-specific file 
API dialog, only ever the native dialog of the browser (be it a desktop 
or mobile).

Please send in use cases, requirements, concerns, and concrete 
suggestions about the general topic (regardless of your opinion about my 
suggestion).

[1] http://www.w3.org/2009/11/02-dap-irc#T20-40-39-1

Regards-
-Doug Schepers
W3C Team Contact, SVG and WebApps WGs

Received on Monday, 2 November 2009 20:49:11 UTC