How to prevent FileSystem Access

[harunoz]

Hello, I am trying to design a tool to avoid malicious use of this API. So, how can I create a tool to stop the events of these API even though the user gives a permission to website. For example, how can I hook into writable.close() function? So that before the website's permanent activity I can somehow analyze the website to decide whether it is being malicious.

Thank you.

[Jaifroid]

Are you trying to write an extension or add-on that woudl disable this API?

[harunoz]

Thank you for your answer, but not exactly. What I am trying to do is before this API makes persistent changes to local files, I would like analyze the website first. Do you have any suggestion for that?

[Jaifroid]

OK, but then I can't understand how you intend to insert your inspection code. Either you are the author of the app that you have placed on a server for others to use, in which case I presume you trust yourself not to write malicious code (!), or else you are a user using someone else's app on their website, in which case you have no way to rewrite the code to add some inspection routine, but you are given a chance to grant or deny permission.

That's why I asked if you were writing an extension, because extensions can act as a middle-man and inspect the http requests.

[harunoz]

Thank you for your answer again, yeah I would like to middle-man style application. Currently, what I am trying to do is I am monitoring the local files of the user and I am looking for the created .crswap files for that inspection. However, for now I am only able to monitor one crswap files, the tools that I am using currently (inotifywait) not fast enough for that.

Is there any other way to achieve that? I mean for example can I hook one function of the Native File System API to monitor and analyze the .crswap files before it makes the persistent change?

Thank you.

[mkruisselbrink]

This does not seem like a spec issue. Chrome has enterprise policies that let you block using this API. If you want more than those policies allow, that would be a chrome feature request.