canmove, Confirmed users
640
edits
Firefox 3.6/HTML5 File Objects Security Review: Difference between revisions
Jump to navigation
Jump to search
Firefox 3.6/HTML5 File Objects Security Review (view source)
Revision as of 21:59, 25 August 2009
, 25 August 2009→Review comments
| Line 53: | Line 53: | ||
* once a page gets a "DOMFile" reference it can read that file as long as the page is open, including any future edits during that time. This may be counter-intuitive to users who expect pages to get a "copy" of the file when it's dropped/submitted. | * once a page gets a "DOMFile" reference it can read that file as long as the page is open, including any future edits during that time. This may be counter-intuitive to users who expect pages to get a "copy" of the file when it's dropped/submitted. | ||
* <jesse> allowing file drops turns window.moveTo into a security hole. maybe fixing https://bugzilla.mozilla.org/show_bug.cgi?id=502561 needs to block supporting file drops. | * <jesse> allowing file drops turns window.moveTo into a security hole. maybe fixing https://bugzilla.mozilla.org/show_bug.cgi?id=502561 needs to block supporting file drops. | ||
* <script> should not be allowed to load from filedata: -- could we even limit its use to images? | |||
* If files are sent cross-origin via postMessage() the new origin gets access to the file, not just a snap-shot. This seems bad. Not much different than one page sending updated contents to another which they could do now with strings, but the "lifetime of accessibility" would be non-intuitive to users. Closing the page to which they gave access doesn't necessarily stop access to the contents (as opposed to a copy of the data given). | |||
* jst thinks we should invalidate file handles if the file changes on disk. | |||
* storing files into globalStorage should probably be a copy of the file, not a handle to the live local file. Otherwise if this is some off-line app and the user deletes the local file after "uploading" it the file could be gone. | |||