- From: Eric Uhrhane <ericu@google.com>
- Date: Fri, 21 Jan 2011 15:12:51 -0800
- To: Web Applications Working Group WG <public-webapps@w3.org>
The Entry.toURI method specified in the FileSystem spec [1] currently
has an open issue to define its format. I believe we also need to
describe the ways in which it can and cannot be used, as some
potential uses may have security implications.
I propose the following format:
filesystem:{protocol}://{domain}[:port]/{storage type}/{path}
e.g. filesystem:https://www.google.com/persistent/images/logo.png
I think that, for the domain that owns the asset referred to by the
URI, pretty much any reasonable use should be allowed:
video/audio/img/iframe/script sources, XHR [GET only], etc. I'm
iffier on allowing any access to other origins, even for e.g. img
sources, even though they're normally allowed cross-origin. I'd love
to hear security arguments against and use cases for cross-origin
access. Of course, it's always easiest/safest to start out not
allowing such a thing and relax the rules later.
Thanks in advance for any comments.
Eric Uhrhane
ericu@google.com
[1] http://dev.w3.org/2009/dap/file-system/file-dir-sys.html#widl-Entry-toURI
Received on Friday, 21 January 2011 23:13:38 UTC