Slash Boxes

SoylentNews is people

posted by martyb on Sunday November 25 2018, @01:59AM   Printer-friendly
from the welcome-to-the-danger-zone dept.

Google and Mozilla are working together on a method to let web apps gain access to users' files.

A group led by Google and Mozilla is working to make it easy to edit files using browser-based web apps but wants advice on how to guard against the "major" security and privacy risks.

The idea is to allow users to save changes they've made using web apps, without the hassle of having to download new files after each edit, as is necessary today.

[...] the W3C Web Incubator Community Group (WICG), which is chaired by representatives from Chrome developer Google and Firefox developer Mozilla, is working on developing the new Writable Files API, which would allow web apps running in the browser to open a file, edit it, and save the changes back to the same file.

However, the group says the biggest challenge will be guarding against malicious sites seeking to abuse persistent access to files on a user's system.

"By far the hardest part for this API is of course going to be the security model to use," warns the WICG's explainer page for the API.

"The API provides a lot of scary power to websites that could be abused in many terrible ways.

What could possibly go wrong?

Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0) by Anonymous Coward on Sunday November 25 2018, @02:03PM

    by Anonymous Coward on Sunday November 25 2018, @02:03PM (#766154)

    Why bother speculating on a new secure browser architecture, when you haven't yet achieved an old secure browser architecture? All free browsers are built on design choices based on market conditions rather than technological best practices. They always have they always will.

    The thing is, there probably IS a market for a paid-for secure browser at this point. Of course all of the vendors would implement code to diddle an shared libs to fuck it up, so you'd have to compile it as a monolithic product, and have it hash itself on startup. And it would break a lot of sites. But that's the point isn't it? The client side is obligated to preserve the rights of the user, regardless of what the server side expects. Compatability is fundamentally antithetical to privacy in a commercialized user space.