On Wed, 07 May 2008 16:47:06 +0100, Maciej Stachowiak <[EMAIL PROTECTED]>
wrote:
On May 7, 2008, at 6:39 AM, Charles McCathieNevile wrote:
Hi folks,
Opera has a proposal for a specification that would revive (and
supersede)
the file upload API that has been lingering so long as a work item.
In a nutshell, it provides the ability for a web application to get a
filespace, by asking the user to identify such a space, and making it
available to that application something like a virtual file system.
I am concerned about the security implications of this proposal. File
upload in HTML is based on the user explicitly selecting a particular
file. This has relatively low security risk, since the user is choosing
one specific file that he or she wishes to transmit, and all that can be
done with that file is upload its bytes.
However, this API grants much more power than that.
Yep. That's the idea.
Here are some of the more obvious security issues:
[several obviously interesting things]
6) Despite clearly having major security considerations, the document
has no Security Considerations section.
Indeed. (It also has no table of contents). There are obviously security
issues any time you give access to something like the filesystem. That
said, there are valuable use cases for access to the filesystem. The idea
of standardising this currently rough proposal is that we identify and
deal with those. An obvious approach would be to limit availability of
this to "trusted content" for some definition of that (and different
browsers currently have different definitions).
As a work item we can happily raise the security issues and provide
guidance about what circumstances open what kinds of risk. Which is what
we would like to do, as part of making the functionality available to
application developers in some way.
cheers
Chaals
--
Charles McCathieNevile Opera Software, Standards Group
je parle français -- hablo español -- jeg lærer norsk
http://my.opera.com/chaals Try Opera 9.5: http://snapshot.opera.com