search

WICG / file-system-access

Expose the file system on the user’s device, so Web apps can interoperate with the user’s native applications.
https://wicg.github.io/file-system-access/
Other
654 stars 65 forks source link

Update the Security and Privacy Questionnaire #421

Open a-sully opened 1 year ago

a-sully commented 1 year ago

The questionnaire has changed over the years, and we should update this specification's answers to it, which are currently based on a 2019 version

In particular, new sections about non-fully-active documents are relevant to the recent proposals for new access modes for FileSystemSyncAccessHandle (see https://github.com/w3ctag/design-reviews/issues/845#issuecomment-1573216200) and the FileSystemObserver interface

jimmywarting commented 1 year ago

This feature exposes files and directories the user explicitly selects to share with web sites with those web sites. This feature doesn't expose any more information than is already exposed via and today.

I would like to add to that note that there is also a method of using DataTransferItem.prototype.webkitGetAsEntry which is more powerful coming from a drag and drop event.

Here you have to possibility to read a file / folder over and over again and seeing new entries that have been added or changed. You can also read the content of a folder async which dose not block the main thread as opposite to the webkitdirectory which requires iterating over all files recursively.

picking a large folder using webkitdirectory is troublesome b/c it freezes the tab. both webkitGetAsEntry and the new getAsFileSystemHandle solves this problem. as it's only reading the content of one folder. so i think getAsFileSystemHandle is necessary / very useful.

jimmywarting commented 1 year ago

You should also try to address Mozillas concern and there position on it.

"There's a subset of this API mozilla is quite enthusiastic about (in particular providing a read/write API for files and directories as alternative storage endpoint), but it is wrapped together with aspects for which we do not think meaningful end user consent is possible to obtain (in particular cross-site access to the end user's local file system). Overall we consider this harmful therefore, but Mozilla could be supportive of parts, provided this were segmented better."

so it maybe needs to address the "cross-site access" section of it all. making it more clear that a file handle from Site A can't be accessed from site B. That handles can't be transfered with postMessage