利用 HTML5 File API 写的文件存哪了
但是在通过demo初学的时候,就会产生一个疑问,文件到底存哪了?
我们在demo程序中设置了文件的创建路径为“log.txt”,理论上它会创建在当前的文件目录,但是代码提示创建成功之后,会发现当前目录并没有一个叫log的txt文件。
后来想起了javascript的“沙箱”,什么是沙箱?
当javascript运行的时候,有一个隐患,就是打开一个网页之后,javascript可能在计算机上执行一段有害的代码,例如批量删除word文件,或者将这些word的文件发送出去。为了防止这种情况发生,javascript被设计为只能在沙箱中运行。沙箱指的是一个受保护的环境,在这个环境中不能访问计算机中的资源。的安全策略定义了脚本能做什么,不能做什么。
再来看看官方文档中的一段。
because this api may allow untrusted code to read and write parts of a user's hard drive, there are a number of security and privacy issues that must be dealt with. risks to the user include:
denial of service by filling a local disk or using up io bandwidth. this can be mitigated in part through quota limitations.
theft or erasure of private data. this is mitigated by limiting the scope of access to the local filesystem to a chroot-like, origin-specific sandbox.
storing malicious executables or illegal data on a user's system. this is similar to the risk of any download, and similar security precautions apply, but is potentially worse in that:
it may involve multiple files.
the files may be in a part of the filesystem that's harder for the user to find than the standard downloads directory.
the malicious writes may happen long enough after granting of filesystem access that the user doesn't connect the two events.
this may be mitigated by restricting file creation/rename to non-executable extensions, virtualizing paths [leading to unguessable or non-executable filenames] and by making sure the execute bit is not set on any file created or modified via the api.
as with any other client-side storage, filesystem access allows for cookie-resurrection attacks. uas will likely wish to present the option of clearing it when the user clears any other origin-specific storage, blocking access to it when cookies are blocked, etc. this is especially important if temporary storage space is permitted by default without explicit user permission.
这一段的大致意思是,为了确保浏览器所在的计算机安全,浏览器定义了一系列的安全措施,来降低脚本运行的风险,其中就包括沙箱。
当我们通过代码调用file api的时候,浏览器将在一个安全的环境中建立一个模拟的文件系统,所有的文件读写操作都是在这个安全的环境中进行的。
这些生成的文件无法通过javascript代码的控制跑到安全区外面,外面的文件也无法跑进来。
有了这些策略之后,程序在使用file api的时候就安全多了。
我们可以在下面目录找到我们所创建的文件:
c:\users\{username}\appdata\local\google\chrome\user data\default\file system\000\t\00
在这个目录中,文件的名字不是我们所指定的名字,而是浏览器生成八位数表示的。
第一个生成的文件名为00000000,无后缀名,可以用notepad++等编辑器打开。
第二个为00000001,以此类推。