nav[aria-label="Primary Navigation"] { padding: 0; & ul { list-style: none; width: 100%; display: flex; flex-direction: row; justify-content: start; align-items: start; gap: 30px; padding: 0; & li { margin: 0; } & ul li { list-style: none; } } }

Child Item

Chooser and security

sanjayssk

I'm a beginner but am now using the Chooser API successfully from a Web app. But I'm concerned about the security of the link obtained. Your description of the returned link is too short and doesn't say anything about security. It says 2 types of links are returned, first is shared and the second is a download, valid for 4 hours. Does it mean, these links then become open to all who get their address? As a user of the web app I would assume that when I opens a file to process in my web app, it's available only to the Web App and to no one else except to myself via regular dropbox access from other sources. Please clarify the security risk of the file chosen so that I can make a decision whether it's safe to use for the users of my web app.

Thanks.

Find more posts tagged with

API

Abuse

Accepted answers

Greg-DB

Yes, the shared links returned by the Chooser are the same kind of shared link as used by the general shared link feature in Dropbox:

https://www.dropbox.com/help/files-folders/view-only-access

That allows anyone with the link to access the shared content. Users can always revoke these shared links from the web site:

https://www.dropbox.com/share/links

Hope this helps!

All comments

Greg-DB

sanjayssk

Hi Greg,

Thanks for replying promptly.

A few related questions:

1) I thought specifying the Chooser/Saver domain for the App Settings will only make the file available to that domain. Is that true at least for the second type of "download" URL that expires in 4 hours? Or is that also available from anywhere for download?

2) BUG: Also when I click on the Links (www.dropbox.com/share/links) to see what links are now exposed, it's just stuck on wait cursor for a long time, over 15 minutes now. Seems like a bug.

I think when Web Apps use this feature, they are exposing a security risk for the end user where the user is unaware that private files may be exposed via links. At least the chooser dialog should give a prominent warning.

Thanks.

Greg-DB

1) No, the Chooser/Saver domains specify which domains can use your app key for the Chooser/Saver. That does not affect the resulting links.

2) That sounds like an issue with the web site. Please open a ticket here for help with that:

https://www.dropbox.com/support

And thanks for the feedback!