[sayhello]

I worked on this. The quote is true, in all honesty. Same as downloading and running applications from the web.

We do our best to make sure the scenario listed doesn't happen. For instance, on Windows, after a writer is closed, we apply the Mark-of-the-Web, apply SafeBrowsing checks and finally call a system API which may trigger an anti-virus check.

On the Mac, we apply the equivalent of Mark-of-the-Web. You may have noticed that when you open the file, sometimes it asks you to ensure the provenance of the file?

Basically, it's a similar procedure as for file downloads.

Edit:

I forgot to say that "sensitive" directories are not allowed. Think C:\Windows, etc.

https://source.chromium.org/chromium/chromium/src/+/master:c...

[kissgyorgy]

I'm sure you worked hard and thought a lot about the security of this, but you have to be really arrogant to think that this will be fine because you thought about everything. I'm pretty sure this will open up a lot more possibilities for malware, viruses, harmful web pages than the convenience it will provide.

[anaganisk]

Yeah, they sure thought about everything thats why ad networks abuse the hell out of every API they implemented to fingerprint people, like AudioContext Api, battery API and what not.

[daleharvey]

The alternatives arent that people just dont use it, the alternative is are that people download some random executable that has much larger security vector, ie some electron app that has unlimited file system access.

[rewq4321]

I have no idea why you were down-voted here. Non-technical people are downloading executable files on their systems by the millions every day.

People can argue about how scary the warning messages should be on this new API, but they can't argue that this is not the way forward to a more secure world.

With this new API in place we'll be one step closer to the goal of having all consumer applications running inside a progressively-permissioned sandbox. It's a dream come true and will allow the culture and OSes to even more strongly stigmatise the opening of executables which immediately gain full system access - something that's completely absurd, but was a necessary evil.

[kijin]

Which paths are "sensitive" depends on which other programs the user has installed. Would Chrome recognize ~/.mozilla as a sensitive path? How about adding arbitrary content to ~/.ssh/authorized_keys?

[tinus_hn]

On Windows any directory where users start programs is a ‘sensitive’ directory. With of course the prime case the ‘downloads’ directory.

[jeltz]

Are you aware of this security issue? There are also similar issues with DLLs on Windows.

https://glyph.twistedmatrix.com/2020/08/never-run-python-in-...