Closed Bug 674047 Opened 10 years ago Closed 7 years ago

Teach FileSaver to take URIs as well

Categories

(Core :: DOM: Core & HTML, enhancement)

enhancement
Not set
normal

Tracking

()

RESOLVED INCOMPLETE

People

(Reporter: khuey, Unassigned)

References

()

Details

So that you can do

let saver = FileSaver("http://example.com/foo.txt");

Plan is to use CORS here.  This will need a separate security review.
It is not clear to me how this should work.
We don't have any events for downloading?
That's a good question.  After thinking about it, I don't think we need events for downloading.

Conceptually, FileSaver transfers data from "somewhere" to your disk.  I don't think it matters where the data comes from.  Progress events on the writes are enough, I think.
For cross-origin loads that aren't backed by CORS we don't want to expose the file size though. We might not even want to expose any progress events as that lets you estimate the size using timing attacks :(
I thought we just weren't going to do cross-origin loads that aren't backed by CORS?
Whiteboard: [sr:curtisk] → [secr:curtisk]
Whiteboard: [secr:curtisk] → [sec-assigned:curtisk:749341]
Flags: sec-review?(curtisk)
Whiteboard: [sec-assigned:curtisk:749341]
bug has no owner and has not moved in ~2 years, closing blocking sec-review bug as incomplete and leaving flag to indicate need to do security work when / if this bug refreshes
Yeah I don't think we're interested in this anymore.
Status: NEW → RESOLVED
Closed: 7 years ago
Flags: sec-review?(curtisk)
Resolution: --- → INCOMPLETE
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.