But we're not talking about a web-based javascript (or at least I'm not). We're talking about a local javascript file. And we're also talking about a user who has just navigated to a file, voluntarily providing file and path information. Whether the script is malicious or not, it already has full access to the contents of the file, and could conceivably send it anywhere. So why not let it see the path?
Thanks, Mark On Wednesday, August 2, 2017 at 8:38:23 AM UTC-7, Lost Admin wrote: > > > > On Wednesday, August 2, 2017 at 10:38:18 AM UTC-4, Mark S. wrote: >> >> I'm guessing that the answer is "no", since we've been told that drag and >> drop can't do what you want (what I want too, BTW), because the file folder >> structure is hidden from the browser for security reasons. How this helps >> security is pretty unclear. >> > > The very short "how this helps security" for a lot of the pain, including > this particular pain point, is pretty simple. Javascript comes from servers > that the end-user doesn't control and shouldn't trust. Malicious developers > (including advertisers and people trying to make bot nets) have taken > advantage of the loose controls that browsers implement to put files on > your computer without you even needing to do anything other than go to a > website that happens to have an ad on it. The ad loads some javascript, the > javascript puts files on your computer and runs them. Bam, you have a virus > or worm or trojan or ransomware or spyware etc. You didn't have to do > anything. It's called a drive-by download. > > The other way around also works in that the javascript can look at files > on your computer and tell your computer to send them somewhere, thus > stealing information from you without you even knowing. > > If the browser lets the website (javascript) set the path and name of a > file and allows overwrite of existing files, then the javascript can > replace proper normal programs with their trojans etc. > > This, and may other attack scenarios keep coming back, even after the > developers think they've fixed the problem. It isn't that the developers > don't know how to fix the problem, they do. But the fix is to fix the > underlying design flaws in the browser and significantly restrict what all > that code from websites can actually do on the end-user's computer. > > You can use TiddlyClip in conjunction with local clips and a browser tab >> that browses the local file system to create tiddlers based on file paths >> like you (we) would like. >> >> HTH >> Mark >> >> On Tuesday, August 1, 2017 at 10:05:51 AM UTC-7, Pit.W. wrote: >>> >>> Hello All, >>> >>> probably this my question is real stupid and everybody knows this: >>> >>> >>> 1. The Situation: >>> >>> *all takes place on a local PC / USB stick, no online action involved >>> >>> *I have a TW-file in a folder which is filled and filling up with .pdf >>> files >>> >>> *I want to read the files and comment them in my TW local file >>> (standalone, not on node) >>> >>> 2. Question: >>> >>> can the <browse> widget be used to perform the following functions: >>> >>> *select a .pdf file >>> >>> *open a template tiddler >>> >>> *transfer the relative address of the .pdf file into _canonical_uri >>> field of the opened template >>> >>> **and the filename to other fields? >>> >>> *while also dealing with special characters? >>> >>> *set the type to application/pdf (could be done by the template) >>> >>> *then. display the .pdf- file within a tiddler >>> >>> >>> 3. Request: could the browse widget be adapted to perform (2.) above? >>> >>> >>> Probably this is either known to everybody except me. Or it is >>> impossible. >>> >>> Enlightnment would be highly appreciated. >>> >>> >>> Kind regards >>> >>> >>> Pit >>> >>> >>> >>> -- You received this message because you are subscribed to the Google Groups "TiddlyWiki" group. To unsubscribe from this group and stop receiving emails from it, send an email to tiddlywiki+unsubscr...@googlegroups.com. To post to this group, send email to tiddlywiki@googlegroups.com. Visit this group at https://groups.google.com/group/tiddlywiki. To view this discussion on the web visit https://groups.google.com/d/msgid/tiddlywiki/4d4e6b39-2121-4c92-8b62-6be613763974%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
