It is a great API though, I wish the other browser vendors liked it! Because currently us PWA developers are really limited when trying to make apps that work with local data, at least in non-Chrome browsers.
codedokode 7 hours ago [-]
Firefox position is completely valid. I think a safe option would be to allow access only to a specific directory like "~/Internet files" or something like this. This way the user could grant the access but not to sensitive files. And add an option in about:config to lift the restriction for power users.
Also, there is a risk of a site writing malware executable, and Linux currently has no sandboxing for such executables so the system would be completely owned once the user runs the program. So the directory should not allow storing executables.
4 hours ago [-]
shortercode 3 hours ago [-]
Both sides are valid. Is it a security risk? In the right conditions yes. But on the other side of it there’s user consent, limited per domain access, and the capability to do multi file editor style apps.
I think the WebKit take on this is good and a better fit for most apps. They instead implemented Origin Private File System. Which is based on the same API bits but the folder is only accessible by the website. The downside is the user loses some control over the files:
- can’t see what’s being stored
- can’t easily backup those files
- has to use that web app to access the files
- usual nonsense about important files being classed as “cookies” or some nonsense by cache cleaning tools, leading to users deleting their data without realising it
codedokode 2 hours ago [-]
> The downside is the user loses some control over the files:
Why not use some human-readable path like ~/Internet/example.com/ ? In this case the user could see the files.
benregenspan 9 hours ago [-]
I'd love for Google to figure out something comparable for the Drive API (currently it's not possible to grant read/write access to a single folder; you need to grant access to the entire drive!): https://issuetracker.google.com/issues/36760598?pli=1
I think the fact that the above issue has been open for a very long time is one indication of how difficult and sensitive this type of access control API is. The Google Drive API could be a proving ground for getting the UX right for this (including tricky details like how to manage persistent access to a folder with clear disclosure and user controls).
ethbr1 9 hours ago [-]
Is it really that complicated?
Why not just create per-domain browser-controlled folders (cert-linked?) that are abstracted into a simple read/write API via the browser (with subfolders allowed under that domain's root), disallow cross-domain access... and then build browser-mediated linking for use cases where you want to flow files from (non-domain) to (domain) to (non-domain)?
So essentially local storage with better integration with the actual filesystem, that's browser-controlled.
Allowing websites to have arbitrary (even user-approved) access directly to the real filesystem seems like a bad idea, when most use cases could be handled by a browser-mediated filesystem-like abstract view.
sharperguy 9 hours ago [-]
You could implement it this way:
- the first time you select a directory it must be empty
- you can drag files in there afterwards
- the directory gets whitelisted for future use
Probably has bad usability, but would be more secure.
NooneAtAll3 9 hours ago [-]
fortunately*
Theodores 4 hours ago [-]
Ah, but it is new to Claude. Claude has main character vibes, so it is always about Claude. Isn't he clever?
Claude can stay in his own lane, I want to know how I can use this during development to simulate uploading photos, so Chrome only is okay for my purposes. But I want to know how to do it, not how much better Claude is than me, forever able to do anything I can do but better.
nasso_dev 9 hours ago [-]
it's a bit of a shame that TFA does not mention that this is a non-standard API pushed by google only (all three editors of the draft are google engineers)
both Mozilla[1] and Apple[2] are opposed to it
encouraging people to build apps that only work in google web browsers actively harms the web and sends a signal to google that they can in fact keep doing this
I think something that is a mix between localStorage or IndexedDB and access to the user's filesystem would be better.
I agree with the comments about how much of a security risk this poses. But, isn't that the case with any binary or executable files and apps we download from the internet anyway?
It would be cool if you could have a specially-demarcated directory (e.g. even inside the application like `~/Applications/Chrome/<website>/local_files`) which you can just open super easily with a button from Chrome, and just copy files over into that directory as needed. Would provide the benefits of a more secure enclave with the flexibility of being on the filesystem.
A few people have suggested adding a blacklist for dangerous directories or validating directories are empty first.
Why not just make the API create a new directory rather than selecting one? There's still a risk people create a directory in a shared location - but at least they're only risking the new directory then, right?
Ajedi32 3 hours ago [-]
I think the intended use case is for things like "give my music player access to my music library" or "open a project directory in this IDE", which wouldn't work well if every app were confined to its own directory.
danhardman 2 hours ago [-]
I guess, but it seems pretty typical to expect to install a new software or start a new project and require some form of loading/importing content in. It wouldn't exactly destroy the experience or at least the trade-off seems worth it imo
explodes 10 hours ago [-]
First time I've heard about this. I'll have to look into the security model around it. I'm curious what safeguards are in place to prevent click jacking. I know showing a file picker """should""" be enough of a warning to users to be careful, but it's not hard to imagine a world where a couple of fish accidentally bite the bait of an allow-button, or because they followed instructions they incorrectly trusted.
explodes 10 hours ago [-]
Looks like these safeguards are in place:
* System and root directories cannot be selected.
* Can only being activated after user action.
* Requires https.
* Double-confirmation for write access.
No API like this could ever be bulletproof, but it's a start I guess.
Very cool API though, and it really does open up a whole new world of possibilities.
ptx 9 hours ago [-]
Those are some pretty flimsy safeguards. I don't keep my secrets in system directories and using HTTPS doesn't mean the site isn't malicious.
Ajedi32 9 hours ago [-]
> I don't keep my secrets in system directories
Root of the home directory is also excluded.
But obviously yeah, nothing's going to prevent you from giving a website access to your .ssh directory if you explicitly select it.
Personally I don't have a problem with that. The ability to upload files has been a thing on the web for forever and I don't think there's ever been anything that stopped users from uploading their private key. Possibly some users have gotten phished that way, but at a certain point you have to accept responsibility for your own actions, otherwise you start ceding control of your life to a corporate nanny state.
mschuster91 9 hours ago [-]
> System and root directories cannot be selected.
That desperately needs something like the Public Suffix List [1] - a community-managed list where authors of software can blacklist directories containing sensitive files or such files directly for all browsers implementing this feature.
If I were to design such a list, it would include ~/.ssh, ~/.aws, ~/.config, ~/Library, ~/.{ba,z}sh{rc,_profile,_history}, ~/.m2, ~/.npm, ~/.npmrc, ~/.profile at the very least. Because users will get phished.
This is still a security nightmare! You won't get every folder, or even enough folders.
codedokode 7 hours ago [-]
Black listing is never secure. White listing is. Sadly some really smart person decided it was a good idea to store pictures and SSH keys within the same directory tree.
yjftsjthsd-h 3 hours ago [-]
> Sadly some really smart person decided it was a good idea to store pictures and SSH keys within the same directory tree.
~/Pictures and ~/.ssh are as far apart as they can be while staying in the user's home directory. I guess you could stick stuff in... /var or something, but that seems worse overall.
cicko 10 hours ago [-]
This is something you should explain to the Firefox critics.
asdfsa32 10 hours ago [-]
Chrome and friends (Edge, Opera) are basically the new IE6 and only people who are new or forgetful will disagree. I hate Mozilla for missing up so bad with their stewardship of Firefox time and again, but alas, it is the only reasonable option on the table.
And while I do hate Mozilla, Google is to be disliked even more.
recursive 8 hours ago [-]
IE6 stagnated after MS won the browser wars. It didn't get an update for like 6 years. Chrome has become a monoculture too but I think it's one of another kind.
ptx 10 hours ago [-]
So websites can now nag users to allow access to the root of their local disk and then read all their files and settings, all their SSH keys and other passwords?
From what I gather from the docs [1], this API gives you a FileSystemDirectoryHandle object, and then you just call getDirectoryHandle() on that to recursively read the the entire filesystem. The spec [2] has some vague suggestions about blacklisting certain particularly sensitive files, which doesn't seem reassuring.
I could select /boot and ~/.cache. Genius. Given how smart are many Internet users this will definitely not cause any misuse.
ThatMedicIsASpy 5 hours ago [-]
After seeing a recaptcha with a QR code. Suddenly those fake recaptchas with a run dialog don't seem too far fetched.
move-on-by 9 hours ago [-]
Ah yes, totally secure. I’m sure there will be no unforeseen problems or bypasses.
streptomycin 9 hours ago [-]
It's been in Chrome for 6 years and I'm not aware of any problems it's caused.
fg137 3 hours ago [-]
I'd argue this is because it's rarely used.
croes 8 hours ago [-]
Yet.
It’s not hard to imagine a case where it is a bad idea to give the browser access to the whole content of a directory.
There is a reason why it’s Chromium browsers only, don’t you think?
streptomycin 8 hours ago [-]
So what should I do if I want to make an app with this functionality? Do I have to tell users to download and run some executable? You can imagine a case where that is a bit riskier than a nicely sandboxed web app with permission to access one directory.
danaris 6 hours ago [-]
> Do I have to tell users to download and run some executable?
Well, yes.
The alternative is to give any malicious ad the ability to drive-by-download malware onto your machine.
streptomycin 2 hours ago [-]
Well there is a permission dialog and you need to select the directory to grant access and common sensitive directories are blacklisted.
A malicious ad would probably have an easier time tricking you into downloading and running an executable, which is something that has actually happened many times IRL. Worry about that before worrying about theoretical exploits that nobody has actually exploited in an API shipped in the world's most popular web browser for the past 6 years.
modeless 4 hours ago [-]
Did you miss that this has been shipped in Chrome for 6 years? How many drive-by-download viruses has your machine gotten since then? Zero for me...
danaris 3 hours ago [-]
Mine?
None.
Because I don't use Chrome.
It's spyware.
2 hours ago [-]
leptons 5 hours ago [-]
Apple will never implement anything in a browser that could make a web app as capable as a native mobile app, they are simply too greedy. Firefox typically doesn't implement these things unless they have to because they don't have the resources that Google and Apple do.
rcxdude 8 hours ago [-]
Just because a problem is not hard to imagine it doesn't mean that the problem is actually a problem in practice. It is worth asking if there are any signs of it existing for real.
croes 8 hours ago [-]
I hear a lot of this "nothing has happened so far" from people who DUI before their first crash and people who use the same password on multiple sites before their first credential stuffing hack
Ajedi32 9 hours ago [-]
Root directory would be on that blacklist for sure.
Those "vague suggestions" actually seem to include some pretty specific examples.
> A user’s entire "home" directory. Individual files and directories inside the home directory should still be allowed, but user agents should not generally let users give blanket access to the entire directory.
EnergyAmy 9 hours ago [-]
That's not at all specific. What individual files and directories?
Ajedi32 9 hours ago [-]
All of them, unless they're also on the list of examples to exclude (like the Downloads folder).
I think the point is that as long as the user is sharing things on purpose and not by accident, it should be allowed. Selecting the root of the home directory would probably share a lot of things the user didn't really intend to share (because a lot of apps just dump random config files and stuff in there), but if they specifically select a subfolder they probably have a good idea of what that folder contains.
superjan 9 hours ago [-]
Is the camera roll excluded? I bet I am not the only one who has a passport picture in there. I don’t know about other people’s camera rolls, but I bet it is occasionally more saucy than mine.
(Sorry for not testing. Chrome-hater)
cnr 9 hours ago [-]
Let's not forget that, at the same time, Google forces every developer of any Android app to register in the Google database using an ID scan, otherwise no one can install it.
All for the sake of "dear user safety".
no_way 3 hours ago [-]
I am using this api for music player[0] in the browser. Biggest share of my users are using Chromebooks, where besides Android apps are not much alternatives. If this API was not available closest thing would be to make an Electron app, which has much more broad system access to users device than a website using showDirectoryPicker.
Regarding security I think Chrome got right balance on this: you always need to select folder, sensitive ones are excluded, on repeat visits if you try to access a file, it asks you permission again, you can't get full filename paths and so on.
Chromium has around the same market share as Windows, so at this point I feel people are targeting it as a web application development platform just as people target Windows.
inigyou 9 hours ago [-]
(intentionally, because it's a massive security risk and only Google doesn't care about endpoint security)
rightlane 9 hours ago [-]
We are introducing new and exciting ways to expose environment variables and PII every day! Introducing features like this while we are in the midst of uncontrolled supply chain attacks feels like a not great idea.
steveharrison 11 hours ago [-]
I'm really excited about window.showDirectoryPicker and the local-first web apps it will enable. There's lots of talk about local-first sync engines, but the best sync engine is one you don't even manage, like the user's file system / cloud storage service!
Ajedi32 9 hours ago [-]
Yes, I think this modern trend towards storing user data in app/website-specific databases instead of in files has been bad for consumer freedom. Files are naturally portable and provide a interface for inter-operating with competing software in a way that data stored in the cloud or an app-specific database does not.
APIs that encourage websites to store user data in files are a positive thing.
zb3 10 hours ago [-]
[flagged]
reddalo 10 hours ago [-]
Firefox may not be the best browser, but it's the last full-featured non-commercial independent browser still available (excluding forks like Waterfox).
If we want a free and open internet, we need to protect Firefox at all costs.
coldpie 10 hours ago [-]
Please don't give trolls attention. Just downvote & move on.
gchamonlive 9 hours ago [-]
But it's fun
zb3 9 hours ago [-]
> non-commercial
They inject various unwanted integrations (like pocket in the past).
> independent
Independent from who, Google? Well, no, not even independent from Google, that's the truth.
acbart 10 hours ago [-]
Some of the permissions problems related to window.showDirectoryPicker have been frustrating. I'm developing a client-side Python web framework, and during development I need to mount the library locally; I hand off the directory to Pyodide using this API. But that doesn't work in VSCode's internal browser, apparently because the API just simply isn't able to be approved.
Yiin 10 hours ago [-]
sounds like vscode issue more than anything else
tantalor 10 hours ago [-]
Usability issues? In vscode? No...
steve1977 9 hours ago [-]
I'm not sure if this is meant to be ironic?
"You can also create folders within the app and move photos into them, and it all happens on your filesystem."
Why, yes. But you can also do that with Finder.
And if you want to work with local data, why use the often inferior web-based widgets and toolkits instead of native ones?
This seems to be the worst of both worlds so to speak.
coldpie 9 hours ago [-]
I used to think like this too, but somewhat surprisingly to myself, I have actually come around to deciding the web API is the most user-forward API that closed-source software can target, and it is actually good for end users for closed-source software to target it. This is because web API software is distributed as plaintext to be interpreted by software under user's control, the browser. This gives a ton of power to the user. We as end users can develop browser extensions, CSS hacks, and so on, to make this closed-source software work better for us.
I frequently do this; why can't I paste into this password text box? Screw it, I go into dev tools and enable pasting into it. Who decided grey-on-grey text was a good idea? Screw it, I got into dev tools and make the text black. Why can't I copy the text on this page? Screw it, I go into dev tools and yank it straight from the DOM. Why does this stupid animation take so long? Screw it, I go develop a greasemonkey script to set the animation timer value to 0. This is all quite easy with web API software, but would be be extremely difficult with a compiled binary.
This is to say nothing about the cross-platform benefits. No one's shipping a HaikuOS binary, but most web apps work just fine there, depending on browser feature support.
I think it is also a good choice for open-source software for the same reason. It provides a common, well-tooled API for users to hack the software they are using. But open-source software has other hackable options that make it less of a strong argument there.
Native toolkits definitely have a lot of nice features that the web API doesn't (yet) have, and there's a ton of value in the consistency native toolkits provide. But I think I've come around to valuing hackability over those features, so I'm actually now a web API fan. Again, surprising myself with this switch :)
petcat 9 hours ago [-]
The best app is the one that is available on your platform.
Unfortunately I think the ubiquity of browser-based web apps are the only reason the Linux desktop is even remotely usable at this point.
yread 10 hours ago [-]
But webkitdirectory="true" could already do that, no?
justusthane 9 hours ago [-]
No, they're very different. Using webkitdirectory="true" on an <input> element just allows you to select a directory to e.g. upload it to the server. It's a one-time operation.
This API returns a handle to the selected directory, giving the webpage ongoing read/write access to the directory.
You couldn't use the former to e.g. create a local-first notes app that stores its files on disk.
simonw 9 hours ago [-]
That's read-only.
It's very cool though, and worth learning about for anyone who's unfamiliar.
You say “mainly missing Safari and Firefox”, but the better way to look at it is “only Chromium”. There is only one implementation, and the other two major implementers have explicitly rejected it. And we don’t standardise things without at least two implementations.
skeledrew 8 hours ago [-]
> we don’t standardise things without at least two implementations
... unless you have the weight of Google.
asdfsa32 10 hours ago [-]
This new IE6 called Chrome, I hate it.
llosio 9 hours ago [-]
photopea.com already does this...
It's a full photoshop-like image (svg, gif, and video too) editor that runs completely on the browser, and has the ability to load a folder as you "Local Projects" folder.
I'm surprised nobody commented this already
rvz 10 hours ago [-]
Phishers and exploit developers are celebrating and jumping for joy over yet another way to deploy their payload to their victims.
What are the many ways could this possibly go wrong?
Anduia 9 hours ago [-]
"Choose your browser cache folder to improve performance"
codedokode 7 hours ago [-]
Choose .autostart directory to install a video codec needed to play this video.
pmontra 4 hours ago [-]
Or "to save the pictures of those girls." There are infinite ways to make people open the doors of their storage.
10 hours ago [-]
qwertytyyuu 9 hours ago [-]
Read, sure, already can do that with file upload. Write sounds like a disaster waiting to happen
buckle8017 10 hours ago [-]
A whole new world of phishing.
functionmouse 9 hours ago [-]
everything is Chrome in the future
AlienRobot 10 hours ago [-]
I wish we had this in the operating system. It would solve an immense number of risks such as data deletion from bugs and even ransomware.
App developers will often choose not to sandbox their applications because it's a lot easier (and sometimes faster) do to all file management yourself, but the APIs are there and ready to be used.
AlienRobot 9 hours ago [-]
Flatpak is probably the worst way to "have" this possible. It's completely opaque to both app and user. If you ever tried to run an .exe through flatpak'd bottles, you'll run into an issue where .dll's aren't found because you didn't install flatseal first to configure permissions. That's not operating-system level integration. That is actually very poor design that a user requires a separate app (flatseal) to configure how the sandbox works.
I was thinking about desktop OS's, actually.
You don't need to use that Windows API. You can just access any file you want. There is no reason a music player, for example, needs to access ~/Pictures. An arbitrary program requiring access to all your files is a huge red flag, but it's a red flag that users aren't allowed to see. Proper filesystem permissions would fix that.
asdfsa32 9 hours ago [-]
MacOS has this and what happens is that you get into the habit of just clicking through it. It won't help with ransomware, only backups would.
AlienRobot 9 hours ago [-]
That just means it's poorly designed. There has to be a way to design this in such way it works.
znpy 10 hours ago [-]
> Chrome introduced a new API, window.showDirectoryPicker() that allows the user to grant access to a directory on their computer and allow a website to read/write everything inside.
I mean, what could go wrong?
It's not like an user is tricked into uploading a file from a folder (let's say, the main "Documents" folder) and some malicious website steals all the files over there.
bigrocketapps 10 hours ago [-]
If you tried this out in Linux, for example, the system would block you from selecting folders that contain files that are flagged as dangerous or "system files". I'm assuming this was implemented across all OSes.
blharr 9 hours ago [-]
That does not sound at all reassuring, that the only safeguard is the system blocking access and that the API has no safeguard.
Its also easily possible to have sensitive files misplaced, especially for a general non-technical user that would be the one falling for a browser hijacking attack
bigrocketapps 9 hours ago [-]
I have not checked the source code to tell you if the system is the one blocking access or the browser-level API itself. I'm guessing it's the browser. The only reason I mentioned Linux is that's where I tested it and I'm sure there are differences across OSes.
My biggest concern here is the write permission.
znpy 9 hours ago [-]
i give zero F about whatever is in my /usr, /var/lib and /opt folders.
what are websites gonna steal, debian binaries and libraries?
all my important stuff are in my home directory, which is owned (read+write) by me, the same user running the browser.
It is a great API though, I wish the other browser vendors liked it! Because currently us PWA developers are really limited when trying to make apps that work with local data, at least in non-Chrome browsers.
Also, there is a risk of a site writing malware executable, and Linux currently has no sandboxing for such executables so the system would be completely owned once the user runs the program. So the directory should not allow storing executables.
I think the WebKit take on this is good and a better fit for most apps. They instead implemented Origin Private File System. Which is based on the same API bits but the folder is only accessible by the website. The downside is the user loses some control over the files:
- can’t see what’s being stored
- can’t easily backup those files
- has to use that web app to access the files
- usual nonsense about important files being classed as “cookies” or some nonsense by cache cleaning tools, leading to users deleting their data without realising it
Why not use some human-readable path like ~/Internet/example.com/ ? In this case the user could see the files.
I think the fact that the above issue has been open for a very long time is one indication of how difficult and sensitive this type of access control API is. The Google Drive API could be a proving ground for getting the UX right for this (including tricky details like how to manage persistent access to a folder with clear disclosure and user controls).
Why not just create per-domain browser-controlled folders (cert-linked?) that are abstracted into a simple read/write API via the browser (with subfolders allowed under that domain's root), disallow cross-domain access... and then build browser-mediated linking for use cases where you want to flow files from (non-domain) to (domain) to (non-domain)?
So essentially local storage with better integration with the actual filesystem, that's browser-controlled.
Allowing websites to have arbitrary (even user-approved) access directly to the real filesystem seems like a bad idea, when most use cases could be handled by a browser-mediated filesystem-like abstract view.
- the first time you select a directory it must be empty
- you can drag files in there afterwards
- the directory gets whitelisted for future use
Probably has bad usability, but would be more secure.
Claude can stay in his own lane, I want to know how I can use this during development to simulate uploading photos, so Chrome only is okay for my purposes. But I want to know how to do it, not how much better Claude is than me, forever able to do anything I can do but better.
both Mozilla[1] and Apple[2] are opposed to it
encouraging people to build apps that only work in google web browsers actively harms the web and sends a signal to google that they can in fact keep doing this
[1] https://mozilla.github.io/standards-positions/#native-file-s...
[2] https://webkit.org/standards-positions/#position-28
I agree with the comments about how much of a security risk this poses. But, isn't that the case with any binary or executable files and apps we download from the internet anyway?
It would be cool if you could have a specially-demarcated directory (e.g. even inside the application like `~/Applications/Chrome/<website>/local_files`) which you can just open super easily with a button from Chrome, and just copy files over into that directory as needed. Would provide the benefits of a more secure enclave with the flexibility of being on the filesystem.
Why not just make the API create a new directory rather than selecting one? There's still a risk people create a directory in a shared location - but at least they're only risking the new directory then, right?
* System and root directories cannot be selected. * Can only being activated after user action. * Requires https. * Double-confirmation for write access.
No API like this could ever be bulletproof, but it's a start I guess.
Very cool API though, and it really does open up a whole new world of possibilities.
Root of the home directory is also excluded.
But obviously yeah, nothing's going to prevent you from giving a website access to your .ssh directory if you explicitly select it.
Personally I don't have a problem with that. The ability to upload files has been a thing on the web for forever and I don't think there's ever been anything that stopped users from uploading their private key. Possibly some users have gotten phished that way, but at a certain point you have to accept responsibility for your own actions, otherwise you start ceding control of your life to a corporate nanny state.
That desperately needs something like the Public Suffix List [1] - a community-managed list where authors of software can blacklist directories containing sensitive files or such files directly for all browsers implementing this feature.
If I were to design such a list, it would include ~/.ssh, ~/.aws, ~/.config, ~/Library, ~/.{ba,z}sh{rc,_profile,_history}, ~/.m2, ~/.npm, ~/.npmrc, ~/.profile at the very least. Because users will get phished.
[1] https://en.wikipedia.org/wiki/Public_Suffix_List
~/Pictures and ~/.ssh are as far apart as they can be while staying in the user's home directory. I guess you could stick stuff in... /var or something, but that seems worse overall.
And while I do hate Mozilla, Google is to be disliked even more.
From what I gather from the docs [1], this API gives you a FileSystemDirectoryHandle object, and then you just call getDirectoryHandle() on that to recursively read the the entire filesystem. The spec [2] has some vague suggestions about blacklisting certain particularly sensitive files, which doesn't seem reassuring.
[1] https://developer.chrome.com/docs/capabilities/web-apis/file...
[2] https://wicg.github.io/file-system-access/#privacy-wide-acce...
No, Chrome doesn't allow this.
Here's a simple demo: https://output.jsbin.com/kekekac/quiet - note that you can't select root, Downloads etc.
https://web.dev/patterns/files/open-a-directory
I can select Downloads
There is a reason why it’s Chromium browsers only, don’t you think?
Well, yes.
The alternative is to give any malicious ad the ability to drive-by-download malware onto your machine.
A malicious ad would probably have an easier time tricking you into downloading and running an executable, which is something that has actually happened many times IRL. Worry about that before worrying about theoretical exploits that nobody has actually exploited in an API shipped in the world's most popular web browser for the past 6 years.
None.
Because I don't use Chrome.
It's spyware.
Those "vague suggestions" actually seem to include some pretty specific examples.
> A user’s entire "home" directory. Individual files and directories inside the home directory should still be allowed, but user agents should not generally let users give blanket access to the entire directory.
I think the point is that as long as the user is sharing things on purpose and not by accident, it should be allowed. Selecting the root of the home directory would probably share a lot of things the user didn't really intend to share (because a lot of apps just dump random config files and stuff in there), but if they specifically select a subfolder they probably have a good idea of what that folder contains.
(Sorry for not testing. Chrome-hater)
All for the sake of "dear user safety".
Regarding security I think Chrome got right balance on this: you always need to select folder, sensitive ones are excluded, on repeat visits if you try to access a file, it asks you permission again, you can't get full filename paths and so on.
[0] https://github.com/minht11/local-music-pwa
https://developer.mozilla.org/en-US/docs/Web/API/Window/show...
APIs that encourage websites to store user data in files are a positive thing.
If we want a free and open internet, we need to protect Firefox at all costs.
They inject various unwanted integrations (like pocket in the past).
> independent
Independent from who, Google? Well, no, not even independent from Google, that's the truth.
"You can also create folders within the app and move photos into them, and it all happens on your filesystem."
Why, yes. But you can also do that with Finder.
And if you want to work with local data, why use the often inferior web-based widgets and toolkits instead of native ones?
This seems to be the worst of both worlds so to speak.
I frequently do this; why can't I paste into this password text box? Screw it, I go into dev tools and enable pasting into it. Who decided grey-on-grey text was a good idea? Screw it, I got into dev tools and make the text black. Why can't I copy the text on this page? Screw it, I go into dev tools and yank it straight from the DOM. Why does this stupid animation take so long? Screw it, I go develop a greasemonkey script to set the animation timer value to 0. This is all quite easy with web API software, but would be be extremely difficult with a compiled binary.
This is to say nothing about the cross-platform benefits. No one's shipping a HaikuOS binary, but most web apps work just fine there, depending on browser feature support.
I think it is also a good choice for open-source software for the same reason. It provides a common, well-tooled API for users to hack the software they are using. But open-source software has other hackable options that make it less of a strong argument there.
Native toolkits definitely have a lot of nice features that the web API doesn't (yet) have, and there's a ton of value in the consistency native toolkits provide. But I think I've come around to valuing hackability over those features, so I'm actually now a web API fan. Again, surprising myself with this switch :)
Unfortunately I think the ubiquity of browser-based web apps are the only reason the Linux desktop is even remotely usable at this point.
This API returns a handle to the selected directory, giving the webpage ongoing read/write access to the directory.
You couldn't use the former to e.g. create a local-first notes app that stores its files on disk.
It's very cool though, and worth learning about for anyone who's unfamiliar.
I have a demo page showing what it can do here: https://tools.simonwillison.net/webkitdirectory
Not truly supported across all mobile browser currently, but it's certainly better than just one year ago.
* Global 75.2%
Mainly missing Safari and Firefox
... unless you have the weight of Google.
It's a full photoshop-like image (svg, gif, and video too) editor that runs completely on the browser, and has the ability to load a folder as you "Local Projects" folder.
I'm surprised nobody commented this already
What are the many ways could this possibly go wrong?
App developers will often choose not to sandbox their applications because it's a lot easier (and sometimes faster) do to all file management yourself, but the APIs are there and ready to be used.
I was thinking about desktop OS's, actually.
You don't need to use that Windows API. You can just access any file you want. There is no reason a music player, for example, needs to access ~/Pictures. An arbitrary program requiring access to all your files is a huge red flag, but it's a red flag that users aren't allowed to see. Proper filesystem permissions would fix that.
I mean, what could go wrong?
It's not like an user is tricked into uploading a file from a folder (let's say, the main "Documents" folder) and some malicious website steals all the files over there.
Its also easily possible to have sensitive files misplaced, especially for a general non-technical user that would be the one falling for a browser hijacking attack
My biggest concern here is the write permission.
what are websites gonna steal, debian binaries and libraries?
all my important stuff are in my home directory, which is owned (read+write) by me, the same user running the browser.