window.showDirectoryPicker opens up a whole new world

Original Article ↗ Hacker News Discussion ↗

Capabilities & Use Cases

  • window.showDirectoryPicker() lets a site get a persistent handle to a local directory with read/write access, unlike webkitdirectory which is a one-shot, mostly read-only upload mechanism.
  • Enables “local‑first” web apps: notes, IDEs, music players, photo editors, and PWAs that operate directly on user-managed files and sync via the user’s own filesystem/cloud.
  • Developers report real-world use:
    • Local music player PWAs (especially useful on Chromebooks).
    • Image editors (e.g., folder-based “local projects”).
    • Internal enterprise LLM tools that can browse and modify folders, spreadsheets, and project trees.

Security & Privacy Concerns

  • Major worry: phishing and “nagging” sites tricking users into granting directory access, potentially exposing SSH keys, configs, camera rolls, or other sensitive data.
  • Chrome/OS safeguards mentioned:
    • Must be user-initiated and over HTTPS.
    • System/root and some sensitive directories (e.g., home root, some “Downloads”/Windows dirs) are blocked on selection.
    • Extra confirmation for write access.
  • Critics see these as weak: users can still select ~/.ssh, app configs, or autostart locations; blacklist-based protection is seen as inherently incomplete.
  • Some propose:
    • Community-managed blacklist of sensitive paths.
    • Whitelisted “Internet files” or per-domain folders only.
    • Forcing creation of an empty new directory rather than selecting existing ones.
  • Others argue the risk is comparable to long-standing file uploads and that user consent plus sandboxing is sufficient; note absence of widely-known real-world exploits so far (countered by “absence of evidence” arguments).

Browser Support & Standardization Politics

  • Currently only implemented in Chromium-based browsers; Firefox and Safari have explicitly rejected it over security concerns.
  • Several commenters see this as another step toward a Chrome/Chromium monoculture and non-standard, vendor-driven APIs.
  • Some defend the API as less invasive than native apps/Electron and praise the web’s permission and sandbox model; others think it erodes endpoint security.

Alternatives & Related APIs

  • Origin Private File System (OPFS) offers a filesystem-like space only visible to the site, improving safety but reducing user control, backup visibility, and interoperability.
  • Some suggest hybrid designs: browser-controlled, human-visible per-site folders that balance user control with isolation.