W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2016

Re: PDF alternative using HTML (proposal)

From: Adrian Hope-Bailie <adrian@hopebailie.com>
Date: Tue, 12 Jan 2016 13:33:38 +0200
Message-ID: <CA+eFz_+D5vjHiFgHQmqCSb-mE4e+qGf_quq07T=ZR+qSQN6mQQ@mail.gmail.com>
To: Craig Francis <craig@craigfrancis.co.uk>
Cc: public-webappsec@w3.org
+1 - seems like something worth standardizing if browsers will standardize
the security model that is applied to this browsing context.

Assumptions:

   - ALL embedded resources would be packaged in the archive
   - The script execution capabilities of this app would be severely
   limited (no network requests for example).

Observations:

   - "ability to change layout depending on screen size" means embedding
   resources for all supported screen sizes in the archive - how big could
   this archive get? Would be useful to try a few examples and see.
   - I can see the tooling for this becoming quite powerful and ultimatley
   allowing you to produce documents and slide decks that are far superior to
   those from existing proprietary formats.
   - I would imagine that if I opened the file /tmp/html-document.hta it
   would open in my browser and the address bar would show
   file:///temp/html-document.hta
   Can I browse to other HTML files in the archive? And if so what is their
   URL?
   E.g. Would the file example/otherfile.html inside the archive be at the
   URL file:///temp/html-document.hta/example/otherfile.html ?

I stole the .hta extension from Microsoft's HTML Applications (
https://en.wikipedia.org/wiki/HTML_Application).
Similar idea with the opposite security principles and very little success
as far as I know

On 12 January 2016 at 12:54, Craig Francis <craig@craigfrancis.co.uk> wrote:

> Hi,
>
> Recently I've been thinking of some of the problems with PDF's, which are
> useful for creating a document that can be archived, emailed, printed, etc.
>
> HTML has solutions for many of PDF's problems though, for example
> structured text (accessibility), ability to change layout depending on
> screen size (no need for small screen devices to zoom into a fixed A4
> layout), can change font size, better indexing support (searching for
> documents), etc.
>
> Unfortunately you can't just email a HTML document to someone, as this
> causes a range of security problems, and including resources can be
> difficult (you can inline them, or use MHTML, but these are tricky to
> create).
>
> So I was wondering if we could take the approach that Microsoft Word did
> with the docx format, Java with JAR, PHP with PHAR, etc...
>
> Have a new file format, associated with the browser, which is just a
> ZIP/GZIP file that contains an index.html file, and everything else needed
> for the document.
>
> Then from a security point of view, it can be locked down to its own
> little box, so no access to other files on the file system, probably no
> access to cookies/localstorage, no ability to connect to another host
> (maybe).
>
> And from the users point of view, the document could be protected with a
> password (a feature that ZIP/GZIP provides already, and the browser can
> prompt for when opening).
>
> So would this help with the security aspects of emailing HTML files to
> people (e.g. reports), and be better than PDFs?
>
> Craig
>
>
> https://code.google.com/p/chromium/issues/detail?id=575677
>
> https://bugzilla.mozilla.org/show_bug.cgi?id=1237990
>
>
Received on Tuesday, 12 January 2016 11:34:07 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:17 UTC