Comment by bigrocketapps
6 hours ago
If you tried this out in Linux, for example, the system would block you from selecting folders that contain files that are flagged as dangerous or "system files". I'm assuming this was implemented across all OSes.
That does not sound at all reassuring, that the only safeguard is the system blocking access and that the API has no safeguard.
Its also easily possible to have sensitive files misplaced, especially for a general non-technical user that would be the one falling for a browser hijacking attack
I have not checked the source code to tell you if the system is the one blocking access or the browser-level API itself. I'm guessing it's the browser. The only reason I mentioned Linux is that's where I tested it and I'm sure there are differences across OSes.
My biggest concern here is the write permission.
i give zero F about whatever is in my /usr, /var/lib and /opt folders.
what are websites gonna steal, debian binaries and libraries?
all my important stuff are in my home directory, which is owned (read+write) by me, the same user running the browser.