From MozillaWiki
Jump to: navigation, search


partial interface Navigator {
   * type is an arbitrary string. On OSs with predefined directories (pictures,
   * music, etc) we can match certain type names to certain folders.
   * To be figured out.
   * Note that each value for the type represents a different directory.
   * I.e. passing "pictures" as type will yield a completely different set
   * of files from passing "movies" as the type.
   * In other words, the type argument is not some sort of filter, but rather
   * simply a destination directory.
  DeviceStorage getDeviceStorage(DOMString type);

interface DeviceStorage {
  // Name will be generated by the implementation and returned as result of request
  DOMRequest add(Blob blob);

  // Fails if a file with the given name already exists.
  DOMRequest addNamed(Blob blob, DOMString name);

  // Returns the result as a File object
  DOMRequest get(DOMString name);

  // Returns the result as a FileHandle object which enables writing
  DOMRequest getEditable(DOMString name);

  // Deletes a file
  DOMRequest delete(DOMString name);

 // Adds a listener for a file update event.
 // The type determines what type of event to listen for: one of "created","deleted", and "modified".
 // The listener recieves notification when an event occurs
 // If true, useCapture indicates that the user wishes to initiate capture. After initiating capture, 
 // all events of the specified type will be dispatched to the registered listener before being dispatched 
 // to any EventTarget beneath it in the DOM tree.
 void addEventListener(DOMString type, EventListener listener, optional boolean useCapture);
 // Removes the listener for the given file update event
 // the listener will stop receiving notifications after this call.
 void removeEventListener(DOMString type, EventListener listener);
 // Sends an event to the event listeners the same as if it was delivered directly.
 boolean dispatchEvent(DeviceStorageChangeEvent event);
 // See interface below for how to use this
 DeviceStorageCursor enumerate(optional DOMString directory)
 DeviceStorageCursor enumerateEditable(optional DOMString directory)
interface DeviceStorageCursor : DOMRequest {
 // .result is either a File or a FileHandle
 void continue();
interface DeviceStorageChangeEvent : Event{
 //.type is "devicestoragechange"
 //.target is the DeviceStorage object that caused this
 DOMString change; //one of "created","modified", or "deleted"
 DOMString path; //absolute path to the file that updated
interface DeviceStorageCursor : DOMRequest {
  // .result (defined in DOMRrequest) is either a File or a FileHandle
  void continue();

The cursor API is somewhat different from the IndexedDB cursor in that it's a bit simpler. We might want to align more with IndexedDB just for the sake of consistency.

APIs as implemented in Gecko:


Security/Privacy considerations

There are basically three different capabilities here:

  • Ability to add new files. This can't cause any harm in and of itself apart from using system resources.
  • Ability to read existing files. This isn't a security problem, but is a privacy problem.
  • Ability to modify/delete existing files. This can destroy user data.

Ability to add new files isn't terribly sensitive, simply asking the user might be sufficient here.

Ability to read existing files is more sensitive. Note that we should integrate device storage with <input type=file> such that the user is able to select a file from device storage on all platforms. That should significantly reduce the need for pages to use this API.

We could possibly further reduce the need by granting pages/apps the right to read files that they have added. I.e. only when wanting to read other files would we need to apply security restrictions. Implementing this on desktop will be hard though since we would have to keep additional meta-data on files that are stored in the user's "pictures", etc folders. I'm inclined to defer this aspect for now.

Ability to modify/delete existing files is extremely sensitive. We likely wouldn't want a scenario where the user simply answers yes to a "Do you want to let this website modify your pictures folder" and then have all of their vacation photos from the past 10 years destroyed.