Support "write" access mode

[mingyc]

What problem are you trying to solve?

(The FileSystemAccess part of this feature is tracked at WICG/file-system-access#463)

Motivation

The File System spec currently defines two access modes: "read" and "readwrite".

The problem with the current permission model is that operations requiring only file system modification, such as FileSystemHandle.remove(), are forced to request the broad "readwrite" mode. This is not ideal from a security perspective, as it grants more permission than necessary.

What solutions exist today?

N/A

How would you solve it?

Proposed Solution

We propose adding a new "write" access mode to query access algorithm and request access algorithm:

Each file system entry has an associated query access algorithm, which takes "read" or "readwrite" or "write" mode and returns a file system access result.

Each file system entry has an associated request access algorithm, which takes "read" or "readwrite" or "write" mode and returns a file system access result.

This new mode will allow applications to request only the permission to write to a file or directory, without also gaining permission to read from it.

Several existing methods that currently request "readwrite" access mode will be updated to use the more appropriate permission level. Operations that only modify or create files will now be able to request "write" permission instead.

Key changes include:

• FileSystemHandle.remove(): This operation will now only require "write" permission.
• FileSystemFileHandle.createWritable(): Creating a writable stream to a file will now be a "write"-only operation.
• FileSystemDirectoryHandle.getFileHandle({create: true}): Creating a new file handle will require "write" permission.
• FileSystemDirectoryHandle.getDirectoryHandle({create: true}): Creating a new directory handle will require "write" permission.
• FileSystemDirectoryHandle.removeEntry(): This operation will now only require "write" permission.

Developer Experience

The introduction of the "write" mode should not affect existing usage of the File System API. Sites with existing already granted permissions should continue to work as before. The permission prompts shown to the user may become more specific when specifying "write" mode.

Anything else?

• File System Access
  • Proposal: Support "write"-only permission mode WICG/file-system-access#463
  • Explainer PR: Add explainer for "write" permission mode WICG/file-system-access#462
  • Spec PR: Propose spec update for "write"-only permission mode. WICG/file-system-access#464
• File System:
  • Proposal: This issue.
  • Spec PR: Support "write" access mode #176
• Standard Positions
  • Gecko: Support "write"-only permission mode in FileSystem/FileSystemAccess API mozilla/standards-positions#1276
  • WebKit: Support "write"-only permission mode in FileSystem/FileSystemAccess API WebKit/standards-positions#534
  • Chromium: This is a Chromium proposal.
• Implementation
  • Chromestatus: https://chromestatus.com/feature/5324970347200512
  • MDN: Add 'write' value to FileSystemHandle permission descriptor.mode mdn/content#40535

cc @a-sully

[bradisbell]

This is very exciting. I hope it makes it so that we can write data to currently "sensitive" areas, such as the downloads folder. (Streaming downloads is a major use case for filesystem access... and today users aren't even allowed to 'download' their own data to the location of their choice, if it happens to be considered a sensitive area.)

[annevk]

cc @szewai @youennf

[Nandy33]

WICG/file-system-access#463