-
Notifications
You must be signed in to change notification settings - Fork 55
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Moving local files with the File System Access API #805
Comments
Noting: mozilla/standards-positions#732 |
Hi @a-sully – are there versions of the spec and explainer markdowns that can be directly linked to, rather than un-merged PRs? That would greatly help the review. |
Hi @a-sully - thanks for this. We're reviewing today and noting that this is built on top of File System Access which we previously reviewed positively. Can we set up a session where y'all join us to discuss the security issues, multi-stakeholder interest, abuse cases, and potential mitigations? |
I'm not sure if this is already covered, but there needs to be a limitation on how often this method can be called. Likely restricted to a single call per user activation. Otherwise, a malicious site can use the fact that existing files can't be overwritten to probe for the existence of other files that the user has not granted access to. |
No, not at the moment. There had been some earlier discussions as to where these types of explainers should go but that thread was never resolved... I can attempt to merge them into whatwg/fs and cite this as justification :)
Absolutely! (and sorry, I realized I had accidentally been filtering emails related to this repo. I should be more responsive going forward)
Correct! This is discussed in the explainer; both on requiring user activation if you don't have permission and overwriting existing files. We expect this to be sufficient, but can add usage limitations later on if needed |
Hi @torgo, The |
Regarding this point specifically - we recent added to the spec the ability to distinguish between files on the local file system vs. files in a Bucket File System (f.k.a. OPFS). This now allows us to specify within the
|
Hi @a-sully - can you clarify what do you mean by "distinguish"? Do you mean that the spec itself would mandate a higher security level for anything to do with local file system files vs. "bucket file system" files? Is there additional normative spec text that could be therefore added to protect users from bad outcomes (i.e. necessary security guarantees)? |
We now have the ability to say "this I expected the
"Implementation defined" is broad enough that each implementation could choose to skip malware checks for files in the bucket file system - which I expect is the case currently across all browsers. We could be explicit that these checks must not run for files in the bucket file system (as I sketched out above). That would remove some theoretical flexibility on the part of the user agent, but in practice I don't expect that to be an issue (cc @jesup @szewai @annevk) Meanwhile, there's the question @torgo posed about running security checks for local files ("necessary security guarantees"). From my perspective (please correct me if I'm misunderstanding), there are two pieces to this:
I don't think we want (2). See the non-normative language here: https://wicg.github.io/file-system-access/#security-malware
The user agent should have the flexibility to skip security checks in some scenarios (e.g. the user agent can determine what qualifies as a "strong trust relation", how it's established, etc) Regarding (1), I'm open to discussing adding more detail (and since this also affects the existing specification of |
I've just revamped whatwg/fs#10 to make use of the various infrastructural changes I mentioned above and to include the restrictions discussed in the explainer for non-BucketFileSystem moves. Feel free to leave comments here or on that PR A few things to note:
|
Hi @a-sully thanks for that and thanks for listening to our comments and concerns. Our main concern continues to be security-related issues related allowing access to the local filesystem. In the case where different UAs have made different security choices about this capability, does the API allow for graceful fallback when the browser in question doesn't support file moves in the local file system? Is that detectable? Have you thought about how this would behave differently with isolated web apps #842 ? |
On browsers for which only the Bucket File System is supported, well, there is currently no way to get a
Were other browsers to implement (even partial) support for the local file system, that could include upstreaming the
The permission requirements mentioned above will also apply to IWAs. If the user agent wanted to somehow privilege IWAs - say, by allowing only IWAs to call |
Hi folks - thanks for your responses and thanks for addressing our concerns. We're happy with the proposal as it stands, however I think the main concern we have now relates to multi-stakeholder support for the file system access API itself. We encourage you to work with other stakeholders / implementers to achieve a consensus-based approach to this capability. |
Wotcher TAG!
I'm requesting a TAG review of
FileSystemFileHandle.move()
for local files.When launching SyncAccessHandles, we launched
FileSystemFileHandle.move()
for files within the Origin Private File System (OPFS). Moving of files outside of the OPFS and moving directories at all are not yet supported.We're proposing to allow the
FileSystemFileHandle.move()
method to move files that do not live in the Origin Private File System, i.e. user-visible files on the device.Further details:
We'd prefer the TAG provide feedback as:
🐛 open issues in our GitHub repo for each point of feedback
The text was updated successfully, but these errors were encountered: