W3C home > Mailing lists > Public > whatwg@whatwg.org > January 2011

[whatwg] Device Element

From: Glenn Maynard <glenn@zewt.org>
Date: Sun, 9 Jan 2011 16:25:28 -0500
Message-ID: <AANLkTinKkydM=i-JBAKU0Nscv1O=igC4aysMaGeG0z0H@mail.gmail.com>
On Sun, Jan 9, 2011 at 4:10 PM, Bjartur Thorlacius <svartman95 at gmail.com> wrote:
> On 1/9/11, Glenn Maynard <glenn at zewt.org> wrote:
>> File access control is currently, very clearly and very deliberately,
>> handled by the browser: web pages can only access files the user gives
>> to the page by selecting them in form input boxes. ?What you're
>> actually saying is that this should be removed, web pages should be
>> able to access any local file that the OS user account the script is
>> running as has access to, and that users should control what files
>> they want web pages to access by modifying the operating system's
>> ACL's to grant and revoke access to web pages.
> Precisely. Any hurdles I've foreseen with that method so far are OS' faults.

Browsers can use OS mechanisms *under the hood* if they want, but it's
absolutely the browser's job to expose website-specific privilege
escalation to the user, and it's absolutely the job of designers of
web APIs to design mechanisms to request it.  (For example, a file
input box is a form of requesting privilege escalation.  By selecting
a file, you elevate the page's permissions temporarily to give it
access to that file.)

I'm very certain that HTML5 file access will not be changed to allow
any script to access any file that the OS allows the Javascript engine
to access.

-- 
Glenn Maynard
Received on Sunday, 9 January 2011 13:25:28 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:29 UTC