Hi, Folks-
During the TPAC joint meeting between the WebApps and DAP WGs, we
discussed security policies and use cases and requirements around saving
files in different scenarios: public web resources (web pages and apps),
widgets, mobile device and desktop browsers, locally-installed
applications, etc. [1]
To kick this thread off, I'd like to suggest the trust model that
already exists for local applications and browsers, which is to open a
modal dialog that allows the user to select the file the application can
save to; for webapps, I suggest the extra security consideration we add
is to have the file hook which is returned is completely opaque (as far
as the directory and file name) to the web app, and it just knows where
to write. Further, we should limit the upper bounds of the file size.
I don't have any thoughts about auto-save across sessions, but it should
be addressed (probably not allowed).
This could be evoked through the UI convention of a file dialog, or just
as a bare API (if the user preferences allow the API to ask about saving
files). In any case, it should never be a "cool" webapp-specific file
API dialog, only ever the native dialog of the browser (be it a desktop
or mobile).
Please send in use cases, requirements, concerns, and concrete
suggestions about the general topic (regardless of your opinion about my
suggestion).
[1] http://www.w3.org/2009/11/02-dap-irc#T20-40-39-1
Regards-
-Doug Schepers
W3C Team Contact, SVG and WebApps WGs
