Skip to content

Interoperability of security and privacy considerations #136

New issue
New issue
Open
Open
Interoperability of security and privacy considerations#136
Milestone
V1
@foolip

Description

@foolip
foolip
opened on Nov 20, 2019

https://wicg.github.io/native-file-system/#privacy-considerations
https://wicg.github.io/native-file-system/#security-considerations

In these non-normative sections some mitigations are described which will probably have to be spelled out in normative text elsewhere to ensure interoperable implementations. The following seem especially relevant.

To protect against this, user agents are encouraged to restrict which directories a user is allowed to select in a directory picker, and potentially even restrict which files the user is allowed to select.

Any delta between implementations in this point is likely to eventually lead to compat problems for the browser with the most restrictive rules. Some divergence may be unavoidable, but writing into spec all the things that are agreed upon would be very good, with issues tracking anything which implementers couldn't agree on before shipping.

user agents are encouraged to make it clear what files and directories a website has access to, and to automatically expire permission grants except for particularly well trusted origins

A mismatch here would likely only result in the user being prompted again, but if some implementation is sufficiently lax, sites could come to assume that if they've gotten past some setup flow once, they never have to worry about permissions again. That would break the less lax implementation after a however many days or months they revoke the permission, perhaps requiring the user to clear cookies to recover.

To mitigate this risk, this API does not provide any way to mark files as executable (on the other hand files that are already executable likely remain that way, even after the files are modified through this API).

This should be "likely", some algorithm should make sure the executable bit is not set, or not.

Aside: this seems like a fairly weak mitigation, a zipfile or dmg that contains executables would get past this.

Clearing browsing data is expected to revoke all permissions as well.

This too should be well defined.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions