Limit allowed "accepted" extensions in File System Access API file pickers.

[mkruisselbrink]

HIQaH! QaH! TAG!

I'm requesting a TAG review of a small tweak to the File System Access API.

Initially the File System Access API (previously known as Native File System API) had no limitations on what strings were allowed to be used as accepted file extensions in the showOpenFilePicker and showSaveFilePicker methods.

Since the file picker (on most platforms) appends these extensions to the filename the user enters, this can result in filenames with characters we don’t want to allow/that are otherwise problematic. In particular we don't want to allow control characters or whitespace in suffixes, or filenames that end in a '.'. As such we add restrictions on what characters are allowed in accepts file extensions/suffixes, as well as limiting their length to 16.

Limiting extensions to only contain alphanumeric characters, + or . still allows all
extensions in the shared-mime-info database as well as nearly all extensions in Wikipedia's List of filename extensions.

• Explainer/Specification URL: Limit what code points are allowed in suffixes. WICG/file-system-access#252
• Tests: will be added to https://github.com/web-platform-tests/wpt/tree/master/native-file-system
• Security and Privacy self-review²: Original self-review for the File System Access API https://github.com/WICG/file-system-access/blob/master/security-privacy-questionnaire.md
• GitHub repo (if you prefer feedback filed there): https://github.com/wicg/native-file-system/issues/
• Primary contacts (and their relationship to the specification):
  • Marijn Kruisselbrink (@mkruisselbrink), Google
• Organization(s)/project(s) driving the specification: Google
• Key pieces of existing multi-stakeholder review or discussion of this specification: The File System Access API (previously known as Native File System API) as a whole was reviewed in Native File System API #390
• External status/issue trackers for this specification (publicly visible, e.g. Chrome Status): https://www.chromestatus.com/feature/4768827940274176

Further details:

• I have reviewed the TAG's API Design Principles
• Relevant time constraints or deadlines: As this fixes potential security issues we will be shipping these changes as soon as possible. We will try to address any feedback that comes in afterwards.
• The group where the work on this specification is currently being done: WICG
• The group where standardization of this work is intended to be done (if current group is a community group or other incubation venue): WebAppsWG
• Major unresolved issues with or opposition to this specification:
• This work is being funded by: Google

You should also know that...

[please tell us anything you think is relevant to this review]

We'd prefer the TAG provide feedback as (please delete all but the desired option):

💬 leave review feedback as a comment in this issue and @-notify @mkruisselbrink

[annevk]

Should these restrictions be aligned with <input type=file accept>?

[mkruisselbrink]

I don't see any reason why we couldn't align these restrictions, but it also matters less for <input type=file accept>. The security concerns are mostly about writing to files with dangerous extensions, so for security purposes I don't think we need to align them, but I don't see a reason why aligning would hurt either.

[cynthia]

@kenchris and I looked at this today.

First of all, neither of us think we have ever seen a main.c++ file in the wild. Is that particular bit really needed, aside from this really weird case? (Unless this was a brown M&M, in which case well done!)

Otherwise, this looks like a sensible change.

[kenchris]

I think that restriction to ASCII + "." makes a lot of sense - thought you can actually use emoji and control chars and the like in file extensions on Windows

Does any OS actually associate .c++ with an IDE? I have never in my life as a C++ developer seen ".c++" extension and maybe we can avoid whitelisting "+"

[kenchris]

I don't think we should support "+" because then you could argue that we should also support "#" as some people and tools support for that C#

[kenchris]

There is of course also ".c--":

Maybe we should just add "+", "-" and "#". @cynthia found another example of # used in the wild

[kenchris]

And "$" and "!" :-)

Luckily I don't find anything else weird here:

https://en.wikipedia.org/wiki/List_of_filename_extensions_(A%E2%80%93E) (and other sections)

Almost forgot that ~ is also used in Linux for temporary files and also seen elsewhere:

So ["+", "-", "#", "$", "!", "~"] - I am fine with adding those, but just adding "+" and not the others seems strange

[torgo]

Hi @mkruisselbrink any feedback you can share based on Ken's comments above?

[mkruisselbrink]

Sorry for the slow reply. The current list of characters is indeed fairly arbitrary. I think I originally did include most of what you're asking about (going of the wikipedia list), but got some push back that without clear use cases it was better to be as minimal as possible (because who knows what characters might have special meaning on particular file systems/operating systems). I agree that + is a bit of an odd one out in that regard. I believe I mostly went by what was in the freedesktop.org shared-mime-info database, which does include .c++, but none of the other characters (so yes, most linux installations will treat .c++ files as the same mime type as .cpp and .cc, and thus have the same applications associated with them).

I'd be fine with adding the rest, although so far nobody has asked for them yet.

[kenchris]

Ok sounds good, we are good to close this then. Thanks for consulting the TAG.