Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
explodes a day ago

Looks like these safeguards are in place:

* System and root directories cannot be selected. * Can only being activated after user action. * Requires https. * Double-confirmation for write access.

No API like this could ever be bulletproof, but it's a start I guess.

Very cool API though, and it really does open up a whole new world of possibilities.

ptx a day ago | parent | next [-]

Those are some pretty flimsy safeguards. I don't keep my secrets in system directories and using HTTPS doesn't mean the site isn't malicious.

Ajedi32 a day ago | parent [-]

> I don't keep my secrets in system directories

Root of the home directory is also excluded.

But obviously yeah, nothing's going to prevent you from giving a website access to your .ssh directory if you explicitly select it.

Personally I don't have a problem with that. The ability to upload files has been a thing on the web for forever and I don't think there's ever been anything that stopped users from uploading their private key. Possibly some users have gotten phished that way, but at a certain point you have to accept responsibility for your own actions, otherwise you start ceding control of your life to a corporate nanny state.

mschuster91 a day ago | parent | prev [-]

> System and root directories cannot be selected.

That desperately needs something like the Public Suffix List [1] - a community-managed list where authors of software can blacklist directories containing sensitive files or such files directly for all browsers implementing this feature.

If I were to design such a list, it would include ~/.ssh, ~/.aws, ~/.config, ~/Library, ~/.{ba,z}sh{rc,_profile,_history}, ~/.m2, ~/.npm, ~/.npmrc, ~/.profile at the very least. Because users will get phished.

[1] https://en.wikipedia.org/wiki/Public_Suffix_List

inigyou a day ago | parent | next [-]

This is still a security nightmare! You won't get every folder, or even enough folders.

codedokode a day ago | parent | prev [-]

Black listing is never secure. White listing is. Sadly some really smart person decided it was a good idea to store pictures and SSH keys within the same directory tree.

Diti a day ago | parent | next [-]

If you see a directory for pictures, it means XDG directories are available in your system. Then you can change their location at will, and place them as deep in your user directory as you like. Like in `~/opt/art/visual/picture`.

My Nix Home Manager settings for XDG directories:

    xdg.userDirs = {
      enable = true;
      createDirectories = true;
      desktop = "${config.home.homeDirectory}/var/desktop";
      documents = "${config.home.homeDirectory}/opt/docs";
      download = "${config.home.homeDirectory}/var/download";
      music = "${config.home.homeDirectory}/opt/art/music";
      pictures = "${config.home.homeDirectory}/opt/art/visual/picture";
      publicShare = "${config.home.homeDirectory}/var/public";
      videos = "${config.home.homeDirectory}/opt/art/visual/video";
      templates = "${config.home.homeDirectory}/opt/templates";
    };
yjftsjthsd-h a day ago | parent | prev [-]

> Sadly some really smart person decided it was a good idea to store pictures and SSH keys within the same directory tree.

~/Pictures and ~/.ssh are as far apart as they can be while staying in the user's home directory. I guess you could stick stuff in... /var or something, but that seems worse overall.