Re: [whatwg] Accessing local files with JavaScript portably and securely

On 2017-04-17 15:22, duanyao wrote:
>> This can handle multipage fine as well.
>> Anything in the folder test.html_files is considered sandboxed under
>> test.html
> The problem is, what if users open `test_files\page2.html`or
> `test_files\page3.html`directly? Can they access `test_files\config.json`?
> This is to be solve by the "muli-page application" convention. By the
> way, the name of the directory is usually `foo_files`, not
> `foo.html_files`.

Good point. But why would a user do that when the entry point is the 

In this case the browser could just fallback to default behavior for 
local html files.

Alternatively the browser could have some logic that knows that this is 
a page under the test folder which is the sandbox for test.html

Also your example of "test_files\page3.html" and 
"test_files\config.json" ofcourse page3.html could access it, just like 
it could access config.js if not for CORS on XHR and local files.

Actually a lot of the issue here is XHR (and fetch) not being possible 
for local web pages.

The only reason I suggested using the same naming convention for the 
sandbox folder is that (at least on Windows) Explorer deletes both the 
html and folder something users are familiar with. Though I'm sure 
Microsoft could add support for the same to another folder naming 
convention, I can't see that being backported to Windows 8.1/8/7.

>> I just checked what naming Chrome does and it uses the page title. I
>> can't recall what the other browsers do. And adds _files to it.
> Chrome can be configured to ask for location when saving a page, then
> you can name it as you will.
> The "xxx_files" convention was introduced by IE or Netscape long ago,
> and other browsers just follow it.
> ...
>> I have not tested how editing/adding to this folder affect things,
>> deleting the html file also deletes the folder (at least on Windows
>> 10, and I seem to recall on Windows 7 as well).
> There is no magic link between `foo.html` and `foo_files/`, this is just
> a trick of Windows Explorer. You can change things by hand in that
> directory as you will.

I just confirmed that. just creating a empty .html file and a same named 
folder with _Files at the end does "link" them in Explorer.
Is this unique to Windows or does other platforms do the same/something 

Unless specified otherwise, anything I write publicly is considered 
Public Domain (CC0).
Roger Hågensen,
Freelancer, Norway.

Received on Tuesday, 18 April 2017 08:09:42 UTC