javascript Web 应用程序访问用户的文件系统
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/33746680/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Web application access user's file system
提问by baldr
I am creating a web application for my client. The application will be installed on a dedicated server within corporate network. He wants to see the list of his local files (from his local PC) on the web page. He means that any visitor can see the list of his local files from some folder.
我正在为我的客户创建一个 Web 应用程序。该应用程序将安装在公司网络内的专用服务器上。他想在网页上查看他的本地文件列表(来自他的本地 PC)。他的意思是任何访问者都可以从某个文件夹中看到他的本地文件列表。
I knowthat the web application cannot have access to visitor's file system. Browser limits this by design. Of course, there might be some browser extensions and applets and flash apps or even hacks.. But this is not that case.
我知道Web 应用程序无法访问访问者的文件系统。浏览器通过设计限制了这一点。当然,可能会有一些浏览器扩展、小程序和 Flash 应用程序甚至黑客......但事实并非如此。
But how can I explain this to him? He points me to the 'save as' or 'load file' dialogs and say that other applications can do this. I don't know how to explain him that this is just a browser's interaction.
但是我该怎么跟他解释呢?他将我指向“另存为”或“加载文件”对话框,并说其他应用程序可以执行此操作。不知道怎么跟他解释这只是浏览器的交互。
I tried to google for some links to proofs, but cannot find something quickly.
我试图用谷歌搜索一些证明的链接,但无法快速找到一些东西。
Can you guys give me some links to the documents describing inability to access user's folder from web application?
你们能给我一些描述无法从 Web 应用程序访问用户文件夹的文档的链接吗?
采纳答案by baldr
Finally I did a compilation of some quotations and it is done..
最后我做了一些引文的汇编,它完成了..
https://en.wikipedia.org/wiki/JavaScript#Security
https://en.wikipedia.org/wiki/JavaScript#Security
scripts run in a sandbox in which they can only perform Web-related actions, not general-purpose programming tasks like creating files
脚本在沙箱中运行,在沙箱中它们只能执行与 Web 相关的操作,而不能执行诸如创建文件之类的通用编程任务
https://www.us-cert.gov/publications/securing-your-web-browser
https://www.us-cert.gov/publications/securing-your-web-browser
JavaScript, also known as ECMAScript, is a scripting language that is used to make websites more interactive. There are specifications in the JavaScript standard that restrict certain features such as accessing local files.
JavaScript,也称为 ECMAScript,是一种脚本语言,用于使网站更具交互性。JavaScript 标准中有一些规范限制了某些功能,例如访问本地文件。
https://developer.mozilla.org/en-US/docs/Web/API/File_System_API/Introduction#restrictions
https://developer.mozilla.org/en-US/docs/Web/API/File_System_API/Introduction#restrictions
Because the file system is sandboxed, a web app cannot access another app's files. You also cannot read or write files to an arbitrary folder (for example, My Pictures and My Documents) on the user's hard drive.
由于文件系统是沙盒化的,因此 Web 应用程序无法访问另一个应用程序的文件。您也无法在用户硬盘驱动器上的任意文件夹(例如,我的图片和我的文档)中读取或写入文件。
回答by Maksim
Mozilla. File System API Restrictions
Because the file system is sandboxed, a web app cannot access another app's files. You also cannot read or write files to an arbitrary folder (for example, My Pictures and My Documents) on the user's hard drive.
由于文件系统是沙盒化的,因此 Web 应用程序无法访问另一个应用程序的文件。您也无法在用户硬盘驱动器上的任意文件夹(例如,我的图片和我的文档)中读取或写入文件。
回答by MikaKarma
Maybe this document rocks?
也许这份文件很摇滚?
http://dev.w3.org/2009/dap/file-system/file-dir-sys.html#security-considerations
http://dev.w3.org/2009/dap/file-system/file-dir-sys.html#security-lookingations
Section 4.1
第 4.1 节
An application can request temporary or persistent storage space. Temporary storage may be easier to get, at the UA's discretion [looser quota restrictions, available without prompting the user], but the data stored there may be deleted at the UA's convenience, e.g. to deal with a shortage of disk space.
应用程序可以请求临时或持久存储空间。临时存储可能更容易获得,由 UA 决定[更宽松的配额限制,无需提示用户即可使用],但存储在那里的数据可能会在 UA 方便时删除,例如处理磁盘空间不足。
Conversely, once persistent storage has been granted, data stored there by the application should not be deleted by the UA without user intervention. The application may of course delete it at will. The UA should require permission from the user before granting persistent storage space to the application.
相反,一旦获得持久性存储,应用程序存储在那里的数据不应在没有用户干预的情况下被 UA 删除。应用程序当然可以随意删除它。在向应用程序授予持久存储空间之前,UA 应获得用户的许可。
This API specifies the standard origin isolation in a filesystem context, along with persistence of data across invocations. Applications will likely use temporary storage for caching, and if it's still around from a previous session, it is often useful. Persistent data, on the other hand, is useless if you can't access it again the next time you're invoked. However, even persistent data may be deleted manually by the user [either through the UA or via direct filesystem operations].
此 API 指定文件系统上下文中的标准源隔离,以及跨调用的数据持久性。应用程序可能会使用临时存储进行缓存,如果它仍然存在于前一个会话中,它通常很有用。另一方面,如果下次调用时无法再次访问持久性数据,则它是无用的。然而,即使是持久数据也可能被用户手动删除[通过 UA 或通过直接文件系统操作]。
回答by su-ex
What about arguing with the Client-Server model? You send a request to the server (website request, file or whatever) and the webserver can respond. There's no direct file system access on the server (webserver in between) and the client can choose what he sends to the server (file picker dialogue in browser).
与客户端 - 服务器模型争论怎么样?您向服务器发送请求(网站请求、文件或其他),网络服务器可以响应。服务器上没有直接的文件系统访问(中间的网络服务器),客户端可以选择他发送到服务器的内容(浏览器中的文件选择器对话)。
