Google, Mozilla Working on Letting Web Apps Edit Files Despite Warning That it Could Be Abused

Google and Mozilla are heading a group that is devising a way for users to save changes they make using web apps. From a report: The idea is to allow users to save changes they've made using web apps, without the hassle of having to download new files after each edit, as is necessary today. "Today, if a user wants to edit a local file in a web app, the web app needs to ask the user to open the file," said Google developer advocate Pete LePage. "Then, after editing the file, the only way to save changes is by downloading the file to the Downloads folder, or having to replace the original file by navigating the directory structure to find the original folder and file. This user experience leaves a lot to be desired, and makes it hard to build web apps that access user files."

To this end, the W3C Web Incubator Community Group (WICG), which is chaired by representatives from Chrome developer Google and Firefox developer Mozilla, is working on developing the new Writable Files API, which would allow web apps running in the browser to open a file, edit it, and save the changes back to the same file. However, the group says the biggest challenge will be guarding against malicious sites seeking to abuse persistent access to files on a user's system. "By far the hardest part for this API is of course going to be the security model to use," warns the WICG's explainer page for the API. "The API provides a lot of scary power to websites that could be abused in many terrible ways."

ActiveX, anyone?

[93+Escort+Wagon]

Nah, I’ve tried and tried - but I really can’t see how this could possibly go wrong...

Re:ActiveX, anyone?

[nazsco]

You forget one thing: Google!

Google is microsoft plus advertising.

When IE was pushing internet specs over W3c, it had nothing but the OS carrot pulling in users. If the website didn't like IE, it could just ask the user to change browsers, and the user did.

Now we have Google, who controls both the users via chrome (and access to their own products, just like microsoft --try to use hangouts, which is required for interviews etc, without chrome!) but besides that, it also controls the websites via their Ad business.

Now you have someone who have a monopoly on both user and site choices. Pushing one webstandard after another over everyone's heads. E.g. http2, http3... which is actually UDP...

Here how it is going down: they will convince all the good engineers that could block this abusive idea that the feature will have lots of UI alerts. The first use case will be something like photoshopOnline. Then, when those smart people are not looking, they will make every site request the permission because they will use it for data persistence on their analytics code! then they will make this the default on chrome, because users complain about too many popups! then they will move this to data persistence for adWords et al. And at this point it is end game trying to not be tracked among devices and accounts on google ecosystem.

#doNotWant

[phantomfive]

"The API provides a lot of scary power to websites that WILL be abused in many terrible ways."

FTFY. Fix your current mound of security bugs to demonstrate you have the ability to make a secure API, and then you might be able to convince people you have the ability to actually make it secure.