Open jespertheend opened 5 years ago
pwnall
commented
5 years ago I think that what you want should be covered by the Web Share Level 2 API.
I don't know if any browser implemented Web Share Level 2 on desktop. For example, Chrome's feature page suggests that it's only available on Android. If you agree that Web Share Level 2 meets your goals, I suggest that you file bugs against browsers asking to have the feature implemented on desktop.
jespertheend
commented
5 years ago Hmm I don't think Web Share Level 2 fits here. Using web share for this is more like creating a copy of the file. Whereas in this case I mean to open an existing file that is already on the users hard disk. So that when the user saves the specified file in the external editor for instance, it would be possible to read the changes from the web app.
jespertheend
commented
5 years ago Now that I think of it, a 'show in explorer/finder' kind of function would already be a big step forward without any additional security risks.
inexorabletash
commented
5 years ago There's discussion of this at:
https://discourse.wicg.io/t/features-that-desktop-web-apps-still-need/2531 (Item 2)
On the Chrome side, we're tracking the feature request as https://bugs.chromium.org/p/chromium/issues/detail?id=897313 but no plans or commitment.
jespertheend
commented
5 years ago Ah interesting, that's exactly what I'm talking about. I'd love to see this, though perhaps it's a bit too early for this. Maybe this is better suited for a future version of the spec.
jespertheend
commented
4 years ago
Not sure if this has been suggested already, and I'm also not sure if this is possible from a security standpoint, but here goes nothing.
I'm looking for some sort of way to be able to open certain files in an external program. This could be useful for a web based file browser for instance. You could select a folder and then browse its files in the web app. Then when double clicking a file from within the web app you could open the file in, say, a text editor or a photo viewer.
I think it's important to have this functionality in order to be able to do things that can currently only be done with native apps. But like I said, I'm not sure if this is possible in regards to security. You'd have to communicate clearly to the user that when you select a folder, the web app can not only read and write to it, but also open its files.
I think the biggest issue with this is that a web app can create a malicious file and then not only write it to the users disk, but also open it. It would allow a developer to execute arbitrary code by creating a malformed pdf for instance and using an exploit in the pdf viewer.
Perhaps one posibility to counter this is to only allow certain applications to be opened. And also it would be a good idea to not give away what application the file will be opened with. This could be the default application selected by the OS, or the user agent could show UI to let the user select what application should be opened.
Or perhaps only PWAs that registered a file handler in their manifest should be allowed to be opened. I think that eliminates most if not all of the security issues that could come with this.
I'm not sure if it is too soon for this, maybe this is better for a future version of the spec. But I kind of needed the functionality for a thing I'm working on so I figured I might as well share my thoughts.