search

w3c / web-share

Web API proposal for sharing data from a web page
https://www.w3.org/TR/web-share/
Other
353 stars 65 forks source link

Support additional media types? #258

Closed ktk closed 1 year ago

ktk commented 1 year ago

Hi,

We tried to implement some use-cases with Web Share API, unfortunately we ran into limitations due to the limited set of supported Shareable file types. In our case we want to pass RDF around in the text/turtle serialization, which is a common media type in our field.

I found #182 as well which seems related but I don't get why this is a hand-picked subset of existing media types. IMO it would make more sense to be able to use any potential media type in here, as use-cases for this API could be very generic.

What is the reasoning for the hand-picked subset available in the current spec?

marcoscaceres commented 1 year ago

hi @ktk! Apologies for the delay in replying.

What is the reasoning for the hand-picked subset available in the current spec?

The spec does not impose this restriction. This is something MDN has listed, possibly to match Chrome or some other browser.

The spec only says, as part of validate share data:

If the user agent believes sharing any of the files in files would result in a potentially hostile share (i.e., the user agent determines a file is malicious in some way, because of its contents, size, or other characteristic), return false.

And, as part of share() method:

If a file type is being blocked due to security considerations, return a promise rejected with a "NotAllowedError" DOMException.

So, its browsers themselves that are imposing this list. However, it's for a very good reason: security.

On most OSs, sharing triggers the presentation of a share sheet. That share sheet will often try to parse and/or process the data, URLs, and file(s) being shared (e.g., to create a preview) often before the user actually shares. A malicious website can (and have!) use the shared data to attack/confuse the share sheet's parser/processor. This could also (potentially) be done with "text/turtle". The restricted list chosen by browsers is fairly "battle hardened", but yes... quite restricted.

So, it would be up to browser and OSs to trust "text/turtle" for them to enable it if they trust such files.

Does that make sense?

@ktk, for record keeping purposes, please indicate if your are satisfied with this response.

marcoscaceres commented 1 year ago

Note that there is related discussion around types here also: https://github.com/w3c/web-share/issues/108

It's something we may revisit in the future.

marcoscaceres commented 1 year ago

I'm going to go ahead and close this as answered. @ktk, let me know if you have further questions or concerns (and I can reopen the issue if need be).