On Tue 18 Jan 2022 at 14:46:48 (+0000), Jeremy Nicoll wrote: > On Tue, 18 Jan 2022, at 04:51, songbird wrote: > > Jeremy Nicoll wrote: > >> On Mon, 17 Jan 2022, at 05:19, songbird wrote: > >> > >>> you are right, but i just wanted to say that for some sites > >>> the behavior is to generate a unique file name if they find > >>> one that already exists with the same name and for other sites > >>> it is not. i think this is dependent upon the website designers > >>> and not firefox. > >> > >> Are you saying that code on a webpage can interrogate my > >> file system to see whether certain files exist? I don't like the > >> sound of that. > > > > you are running the webpage on your browser so it is your > > own computer and your own program that is doing the accessing > > just like any other program you run. > > The problem is that a user would normally only expect a browser to > save a file to the file-system in two cases: > > (a) when the user has explcicitly chosen to download something, and > then chooses where to put it > > (b) when the browser is cacheing content, or manipulating its own > config files > > In both those cases it's code written by the browser's developers > that's doing the writing. > > The new situation will allow any JS written by any page developer to > access my files. I am unconvinced that this will never lead to malware > doing things to files/folders on my system without my knowledge. > > It's a BIG change to users' expectations of what a browser can do. > > Users with no technical knowledge could get bitten by this. > > > what controls you wish > > to put on the access to your file system and how you do that > > is up to you and your own desires and capabilities. > > I don't think it should be up to me. I'd prefer to prohibit any JS > in a browser from doing that. > > > but what i do is set where files are saved in a > > specific directory and leave it at that > > That works fine while you can be sure that a browser is only > saving downloaded files. What about when if can do anything > it likes to any file/folder?
Songbird went on to say: > > if you are running a linux > > system then you have the capability of using different users > > and groups to control file and directory access. so you only > > browse using one user and then set up a directory for that > > user to save files to and then put stuff there. then you can > > make that directory read only to a group and set up another > > user to go look at the files saved there. or something like > > that... … which is what I do: user "flash" browses all except a few trusted sites. I can read flash's ~/PDF/, downloads and browser cache, and after a minute, I own the first two categories, thanks to cron. Cheers, David.
