Hacker News new | comments | show | ask | jobs | submit login

While the number 1 suggestion sounds great on paper, isn't anyone else concerned about the security implications?

The ability for the browser to modify files directly on my workstation outside of caching folders sounds like a recipe for disaster.

1) the protocol doesn't modify any file. The python script just opens an anonymous buffer.

2) to enable this feature, you first need to go to a "start connection" screen (not showed in the video)

3) you need to click on a dialog to accept any incoming connection

He had to click accept connection before it allowed him to edit the CSS.

Which, as we know, is a rock-solid protection mechanism against these types of exploits. Everyone reads modal messages.

In order to get to that modal message, you first have to go and enable remote debugging, which is not something normal people would do. And in general, even though we can (and already have) come up with even more mitigations for the potential threat, the sad truth is that security and usability are fundamentally a tradeoff, so you have to strike a balance at some point.

And, I understand that. But, the drawbacks of the security implications of your development/developer browsers being thus weakened is, IMO, a decision heavily weighted in favour _against_ this feature.

Personally, I would love it. It would make my life easier to have a full IDE within a browser. However, I would never be comfortable with the security tradeoff and would never enable it.

Maybe turning on some kind of dev mode to enable the feature, and then keep the modals as well.

Fair enough. +1

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact