- From: Adam Barth <w3c@adambarth.com>
- Date: Thu, 20 Sep 2012 08:54:27 -0700
- To: James Graham <jgraham@opera.com>
- Cc: "Edward O'Connor" <eoconnor@apple.com>, public-webapps@w3.org
On Wed, Sep 19, 2012 at 11:50 PM, James Graham <jgraham@opera.com> wrote: > On Wed, 19 Sep 2012, Adam Barth wrote: >> On Wed, Sep 19, 2012 at 1:46 PM, James Graham <jgraham@opera.com> wrote: >>> On Wed, 19 Sep 2012, Edward O'Connor wrote: >>>> Olli wrote: >>>>> I think we should discuss about moving File API: Directories and >>>>> System API from Recommendation track to Note. >>>> >>>> Sounds good to me. >>> >>> Indeed. We are not enthusiastic about implementing an API that has to >>> traverse directory trees as this has significant technical challenges, or >>> may expose user's path names, as this has security implications. Also >>> AIUI this API is not a good fit for all platforms. >> >> There's nothing in the spec that exposes user paths. That's just FUD. > > I was thinking specifically of the combination of this and Drag and Drop and > this API. I assumed that at some level one would end up with a bunch on > Entry objects which seem to expose a path. It then seems that then a user > who is tricked into dragging their root drive onto a webapp would expose all > their paths. > > It is quite possible that this is a horrible misunderstanding of the spec, > and if so I apologise. Nevertheless I think it's poor form to immediately > characterise an error as a deliberate attempt to spread lies. It just has nothing to do with the spec. It's like complaining that DOMString might leak user paths because if you use a DOMString with drag and drop, you might leak user paths. Adam
Received on Thursday, 20 September 2012 15:55:26 UTC