- From: Adrian Hope-Bailie <adrian@hopebailie.com>
- Date: Tue, 12 Jan 2016 13:33:38 +0200
- To: Craig Francis <craig@craigfrancis.co.uk>
- Cc: public-webappsec@w3.org
- Message-ID: <CA+eFz_+D5vjHiFgHQmqCSb-mE4e+qGf_quq07T=ZR+qSQN6mQQ@mail.gmail.com>
+1 - seems like something worth standardizing if browsers will standardize the security model that is applied to this browsing context. Assumptions: - ALL embedded resources would be packaged in the archive - The script execution capabilities of this app would be severely limited (no network requests for example). Observations: - "ability to change layout depending on screen size" means embedding resources for all supported screen sizes in the archive - how big could this archive get? Would be useful to try a few examples and see. - I can see the tooling for this becoming quite powerful and ultimatley allowing you to produce documents and slide decks that are far superior to those from existing proprietary formats. - I would imagine that if I opened the file /tmp/html-document.hta it would open in my browser and the address bar would show file:///temp/html-document.hta Can I browse to other HTML files in the archive? And if so what is their URL? E.g. Would the file example/otherfile.html inside the archive be at the URL file:///temp/html-document.hta/example/otherfile.html ? I stole the .hta extension from Microsoft's HTML Applications ( https://en.wikipedia.org/wiki/HTML_Application). Similar idea with the opposite security principles and very little success as far as I know On 12 January 2016 at 12:54, Craig Francis <craig@craigfrancis.co.uk> wrote: > Hi, > > Recently I've been thinking of some of the problems with PDF's, which are > useful for creating a document that can be archived, emailed, printed, etc. > > HTML has solutions for many of PDF's problems though, for example > structured text (accessibility), ability to change layout depending on > screen size (no need for small screen devices to zoom into a fixed A4 > layout), can change font size, better indexing support (searching for > documents), etc. > > Unfortunately you can't just email a HTML document to someone, as this > causes a range of security problems, and including resources can be > difficult (you can inline them, or use MHTML, but these are tricky to > create). > > So I was wondering if we could take the approach that Microsoft Word did > with the docx format, Java with JAR, PHP with PHAR, etc... > > Have a new file format, associated with the browser, which is just a > ZIP/GZIP file that contains an index.html file, and everything else needed > for the document. > > Then from a security point of view, it can be locked down to its own > little box, so no access to other files on the file system, probably no > access to cookies/localstorage, no ability to connect to another host > (maybe). > > And from the users point of view, the document could be protected with a > password (a feature that ZIP/GZIP provides already, and the browser can > prompt for when opening). > > So would this help with the security aspects of emailing HTML files to > people (e.g. reports), and be better than PDFs? > > Craig > > > https://code.google.com/p/chromium/issues/detail?id=575677 > > https://bugzilla.mozilla.org/show_bug.cgi?id=1237990 > >
Received on Tuesday, 12 January 2016 11:34:07 UTC