Re: Firefox PDF download - strange behaviour.
On Tue 18 Jan 2022 at 14:46:48 (+0000), Jeremy Nicoll wrote:
> On Tue, 18 Jan 2022, at 04:51, songbird wrote:
> > Jeremy Nicoll wrote:
> >> On Mon, 17 Jan 2022, at 05:19, songbird wrote:
> >>
> >>> you are right, but i just wanted to say that for some sites
> >>> the behavior is to generate a unique file name if they find
> >>> one that already exists with the same name and for other sites
> >>> it is not. i think this is dependent upon the website designers
> >>> and not firefox.
> >>
> >> Are you saying that code on a webpage can interrogate my
> >> file system to see whether certain files exist? I don't like the
> >> sound of that.
> >
> > you are running the webpage on your browser so it is your
> > own computer and your own program that is doing the accessing
> > just like any other program you run.
>
> The problem is that a user would normally only expect a browser to
> save a file to the file-system in two cases:
>
> (a) when the user has explcicitly chosen to download something, and
> then chooses where to put it
>
> (b) when the browser is cacheing content, or manipulating its own
> config files
>
> In both those cases it's code written by the browser's developers
> that's doing the writing.
>
> The new situation will allow any JS written by any page developer to
> access my files. I am unconvinced that this will never lead to malware
> doing things to files/folders on my system without my knowledge.
>
> It's a BIG change to users' expectations of what a browser can do.
>
> Users with no technical knowledge could get bitten by this.
>
> > what controls you wish
> > to put on the access to your file system and how you do that
> > is up to you and your own desires and capabilities.
>
> I don't think it should be up to me. I'd prefer to prohibit any JS
> in a browser from doing that.
>
> > but what i do is set where files are saved in a
> > specific directory and leave it at that
>
> That works fine while you can be sure that a browser is only
> saving downloaded files. What about when if can do anything
> it likes to any file/folder?
Songbird went on to say:
> > if you are running a linux
> > system then you have the capability of using different users
> > and groups to control file and directory access. so you only
> > browse using one user and then set up a directory for that
> > user to save files to and then put stuff there. then you can
> > make that directory read only to a group and set up another
> > user to go look at the files saved there. or something like
> > that...
… which is what I do: user "flash" browses all except a few
trusted sites. I can read flash's ~/PDF/, downloads and browser
cache, and after a minute, I own the first two categories,
thanks to cron.
Cheers,
David.
Reply to: