This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.

Bug 12820 - Hi guys, I am finding it frustrating that security features prevent me from writing a useful app in HTML5 that will run solely on the client machine. It seems that windows can talk to each other if their is a parent / child relationship - UNLESS you load
Summary: Hi guys, I am finding it frustrating that security features prevent me from w...
Status: RESOLVED WONTFIX
Alias: None
Product: HTML WG
Classification: Unclassified
Component: LC1 HTML5 spec (show other bugs)
Version: unspecified
Hardware: Other other
: P3 normal
Target Milestone: ---
Assignee: Ian 'Hixie' Hickson
QA Contact: HTML WG Bugzilla archive list
URL: http://www.whatwg.org/specs/web-apps/...
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-05-30 13:47 UTC by contributor
Modified: 2011-08-04 05:03 UTC (History)
6 users (show)

See Also:

Attachments

Description contributor 2011-05-30 13:47:31 UTC 
Specification: http://www.w3.org/TR/html5/
Section: http://www.whatwg.org/specs/web-apps/current-work/#top

Comment:
Hi guys,

I am finding it frustrating that security features prevent me from writing a
useful app in HTML5 that will run solely on the client machine.

It seems that windows can talk to each other if their is a parent / child
relationship - UNLESS you load both pages directly from the client machine.
The communication between them is considered suspect because the browser can't
determine that they both came from www.somewhere.

I saw a similar problem with local storage.

I find it frustrating that an "app" that a user has chosen to install on his
machine is considered unsafe, i.e. a probable virus; whereas running an app
from some other site you've possibly never visited before is considered safe.

Yes I'm swimming upstream here as everyone else is developing apps that run
off the web but I find local apps are more responsive and on a phone, incur no
download charges.

Could you please consider these sorts of uses for HTML (file://) in future
updates?

Thanks.


Greg Sydney-Smith


Posted from: 58.169.15.207
User agent: Mozilla/5.0 (Windows NT 6.0) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/11.0.696.71 Safari/534.24
Comment 1 Boris Zbarsky 2011-05-30 21:02:18 UTC 
The problem you're running into is that the browser has no way to tell apart "user installed an app" and "user just saved a web page" in your case....  That's not an HTML issue per se.
Comment 2 Aryeh Gregor 2011-06-26 22:59:34 UTC 
EDITOR'S RESPONSE: This is an Editor's Response to your comment. If you are
satisfied with this response, please change the state of this bug to CLOSED. If
you have additional information and would like the Editor to reconsider, please
reopen this bug. If you would like to escalate the issue to the full HTML
Working Group, please add the TrackerRequest keyword to this bug, and suggest
title and text for the Tracker Issue; or you may create a Tracker Issue
yourself, if you are able to do so. For more details, see this document:

   http://dev.w3.org/html5/decision-policy/decision-policy.html

Status: Rejected
Change Description: no spec change
Rationale: If files are saved to the local machine, we cannot tell what sites they came from.  If we let your site's files access other HTML files from the same site, we'd have to let it access HTML files from other sites too, and that could be a privacy violation.  For instance, maybe your files are in a downloads folder together with sensitive HTML files (e.g., internal corporate memos) that your files should not have access to.

I encourage you to either make sure your downloaded site consists of only one HTML file (very practical if you use JavaScript), or consider some other delivery mechanism like application caches.
Comment 3 Michael[tm] Smith 2011-08-04 05:03:22 UTC 
mass-moved component to LC1