Re: Moving File API: Directories and System API to Note track?

On Wed, Sep 19, 2012 at 11:50 PM, James Graham <jgraham@opera.com> wrote:
> On Wed, 19 Sep 2012, Adam Barth wrote:
>> On Wed, Sep 19, 2012 at 1:46 PM, James Graham <jgraham@opera.com> wrote:
>>> On Wed, 19 Sep 2012, Edward O'Connor wrote:
>>>> Olli wrote:
>>>>> I think we should discuss about moving File API: Directories and
>>>>> System API from Recommendation track to Note.
>>>>
>>>> Sounds good to me.
>>>
>>> Indeed. We are not enthusiastic about implementing an API that has to
>>> traverse directory trees as this has significant technical challenges, or
>>> may expose user's path names, as this has security implications. Also
>>> AIUI this API is not a good fit for all platforms.
>>
>> There's nothing in the spec that exposes user paths.  That's just FUD.
>
> I was thinking specifically of the combination of this and Drag and Drop and
> this API. I assumed that at some level one would end up with a bunch on
> Entry objects which seem to expose a path. It then seems that then a user
> who is tricked into dragging their root drive onto a webapp would expose all
> their paths.
>
> It is quite possible that this is a horrible misunderstanding of the spec,
> and if so I apologise. Nevertheless I think it's poor form to immediately
> characterise an error as a deliberate attempt to spread lies.

It just has nothing to do with the spec.  It's like complaining that
DOMString might leak user paths because if you use a DOMString with
drag and drop, you might leak user paths.

Adam

Received on Thursday, 20 September 2012 15:55:26 UTC