This specification defines an API for writing to files from web applications. This API is designed to be used in conjunction with, and depends on definitions in, other APIs and elements on the web platform. Most relevant among these are [[!FILE-API]] and [[!WEBWORKERS]].

This API includes:

This document represents the early consensus of the group on the scope and features of the proposed File API: Writer. Issues and editors notes in the document highlight some of the points on which the group is still working and would particularly like to get feedback.

This specification defines conformance criteria that apply to a single product: user agents that implement the interfaces that it contains.

Everything in this specification is normative except for examples and sections marked as being informative.

The keywords MUST, MUST NOT, REQUIRED, SHALL, SHALL NOT, SHOULD, SHOULD NOT, RECOMMENDED, MAY, and OPTIONAL in this document are to be interpreted as described in Key words for use in RFCs to Indicate Requirement Levels [[!RFC2119]].

The following conformance classes are defined by this specification:

conforming implementation

A user agent is considered to be a conforming implementation if it satisfies all of the must-, required- and shall-level criteria in this specification that apply to implementations.

Terminology and Algorithms

The terms and algorithms event handler attributes, event handler event types, Function, task, task source, and queue a task are defined by the HTML 5 specification [[!HTML5]].

The term Blob is defined by the File API specification [[!FILE-API]].

The term ArrayBuffer is defined by the Typed Arrays specification [[!TYPED-ARRAYS]].

This specification includes algorithms (steps) as part of the definition of methods. Conforming implementations (referred to as user agents from here on) MAY use other algorithms in the implementation of these methods, provided the end result is the same.

Introduction

Web applications are currently fairly limited in how they can write to files. One can present a link for download, but creating and writing files of arbitrary type, or modifying downloaded files on their way to the disk, is difficult or impossible. This specification defines an API through which user agents can permit applications to write generated or downloaded files.

The [[!FILE-API]] defined interfaces for reading files, manipulation of Blobs of data, and errors raised by file accesses. This specification extends that work with a way to construct Blobs and with synchronous and asynchronous file-writing interfaces. As with reading, writing files on the main thread should happen asynchronously to avoid blocking UI actions. Long-running writes provide status information through delivery of progress events.

Examples

Here is a simple function that writes a text file, given a FileWriter: 

          function writeFile(writer) {
            function done(evt) {
              alert("Write completed.");
            }
            function error(evt) {
              alert("Write failed:" + evt);
            }

            var bb = new BlobBuilder();
            bb.append("Lorem ipsum");
            writer.onwrite = done;
            writer.onerror = error;
            writer.write(bb.getBlob());
          }

Here's an example of obtaining and using a FileSaver: 

            var bb = new BlobBuilder();
            bb.append("Lorem ipsum");
            var fileSaver = window.saveAs(bb.getBlob(), "test_file");
            fileSaver.onwriteend = myOnWriteEnd;

The BlobBuilder interface

BlobBuilder description

Blob getBlob ()

Returns the current contents of the BlobBuilder as a Blob.

in optional DOMString contentType
Sets the content type of the blob produced.
void append ()

Appends the supplied text to the current contents of the BlobBuilder, writing it as UTF-8, converting newlines as specified in endings.

in DOMString text
The data to write.
in optional DOMString endings
Can we do without endings? Any choice other than "native" can be implemented by the app author, and most file formats don't care about line endings. "Native" would be handy for sharing certain types of text files with apps outside the browser [e.g. Makefiles on a system where make is expecting \n will have issues if they're written with \r\n]. Is it worth it? Can this be worked around if we don't supply it?

This parameter specifies how strings containing \n are to be written out. If the user does not provide the endings parameter, user agents MUST act as if the user had specified a value of 'transparent'. If the user provides the endings parameter, user agents MUST convert newlines as specified below. The possible values are:

ValueDescription
"transparent" Code points from the string MUST remain unchanged.
"native" Newlines MUST be transformed to the default line-ending representation of the underlying host operating system. For example, if the underlying OS is Windows, newlines will be transformed into \r\n pairs as the text is appended to the state of the BlobBuilder.
SYNTAX_ERR
The user supplied an unsupported value for endings.
void append ()

Appends the supplied Blob to the current contents of the BlobBuilder.

in Blob data
The data to append.
void append ()

Appends the supplied ArrayBuffer to the current contents of the BlobBuilder.

in ArrayBuffer data
The data to append.

Constructor

When the BlobBuilder constructor is invoked, user agents MUST return a new BlobBuilder object.

This constructor MUST be visible when the script's global object is either a Window object or an object implementing the WorkerUtils interface.

The FileSaver interface

This interface provides methods to monitor the asynchronous writing of blobs to disk using progress events [[!PROGRESS-EVENTS]] and event handler attributes.

This interface is specified to be used within the context of the global object (Window [[!HTML5]]) and within Web Workers (WorkerUtils [[!WEBWORKERS]]).

void abort ()

When the abort method is called, user agents MUST run the steps below:

  1. If readyState is DONE or INIT, terminate this overall series of steps without doing anything else..
  2. Terminate any steps having to do with writing a file.
  3. Set the error attribute to a FileError object with the code ABORT_ERR.
  4. Set readyState to DONE.
  5. Dispatch a progress event called abort
  6. Dispatch a progress event called writeend
  7. Stop dispatching any further progress events.
  8. Terminate this overall set of steps.

const unsigned short INIT = 0
The object has been constructed, but there is no pending write.
const unsigned short WRITING = 1
The blob is being written.
const unsigned short DONE = 2
The entire Blob has been written to the file, a file error occurred during the write, or the write was aborted using abort(). The FileSaver is no longer writing the blob.
readonly attribute unsigned short readyState

The FileSaver object can be in one of 3 states. The readyState attribute, on getting, MUST return the current state, which MUST be one of the following values:

readonly attribute FileError error

The last error that occurred on the FileSaver.

attribute Function onwritestart

Handler for writestart events.

attribute Function onprogress

Handler for progress events.

attribute Function onwrite

Handler for write events.

attribute Function onabort

Handler for abort events.

attribute Function onerror

Handler for error events.

attribute Function onwriteend

Handler for writeend events.

The FileSaver Constructor

The FileSaver(data) constructor takes one argument: the Blob of data to be saved to a file.

When the FileSaver constructor is called, the user agent MUST return a new FileSaver object with readyState set to INIT.

This constructor MUST be visible when the script's global object is either a Window object or an object implementing the WorkerUtils interface.

The FileSaver Task Source

The FileSaver interface enables asynchronous writes on individual files by dispatching events to event handler methods. Unless stated otherwise, the task source that is used in this specification is the FileSaver. This task source is used for any event task that is asynchronously dispatched, or for event tasks that are queued for dispatching.

After its constructor has returned, a new FileSaver MUST asynchronously execute the following steps.

  1. Set readyState to WRITING.
  2. If an error occurs during file write, proceed to the error steps below.
    1. Queue a task that will:
      1. Set the error attribute; on getting the error attribute MUST be a FileError object with a valid error code that indicates the kind of file error that has occurred.
      2. Set readyState to DONE.
      3. Dispatch a progress event called error.
      4. Dispatch a progress event called writeend.
    2. Terminate this overall set of steps.
  3. Queue a task to dispatch a progress event called writestart.
  4. Make progress notifications.
  5. When the data has been fully written, queue a task that will:
    1. Set readyState to DONE.
    2. Dispatch a progress event called write
    3. Dispatch a progress event called writeend
  6. Terminate this overall set of steps.

Event Handler Attributes

The following are the event handler attributes (and their corresponding event handler event types) that user agents MUST support on FileSaver as DOM attributes:

event handler attribute event handler event type
onwritestart writestart
onprogress progress
onwrite write
onabort abort
onerror error
onwriteend writeend

The FileSaverSync interface

It seems like this should have a blocking constructor and no methods or properties, if it's to follow the constructor-based model of the asynchronous interface. A global method seems like it would be cleaner, though. Is it important that they match? If so, the asynch constructor could turn into a method instead.

It's been pointed out that a method name like "saveAs" is too short and generic; any global symbol should be longer and more explicit in order to avoid confusion and naming conflicts.

The FileWriter interface

This interface expands on the FileSaver interface to allow for multiple write actions, rather than just saving a single Blob.

Since this is intended to be used only with the sandboxed filesystem, it could potentially move to the filesystem spec.
readonly attribute unsigned long long position

The byte offset at which the next write to the file will occur. This MUST be no greater than length.
A newly-created FileWriter MUST have position set to 0.

readonly attribute unsigned long long length

The length of the file. If the user does not have read access to the file, this MUST be the highest byte offset at which the user has written.

void write ()

Write the supplied data to the file at position. When the write method is called, user agents MUST run the steps below (unless otherwise indicated).

  1. If readyState is WRITING, throw a FileException with error code INVALID_STATE_ERR and terminate this overall series of steps.
  2. Set readyState to WRITING.
  3. If an error occurs during file write, proceed to the error steps below.
    1. Set the error attribute; on getting the error attribute MUST be a FileError object with a valid error code that indicates the kind of file error that has occurred.
    2. Set readyState to DONE.
    3. Dispatch a progress event called error.
    4. Dispatch a progress event called writeend
    5. On getting, the length and position attributes SHOULD indicate any fractional data successfully written to the file.
    6. Terminate this overall set of steps.
  4. Dispatch a progress event called writestart.
  5. Return from the write method, but continue processing the other steps in this algorithm.
  6. Make progress notifications. On getting, while processing the write method, the length and position attributes SHOULD indicate the progress made in writing the file as of the last progress notification.
  7. Upon successful completion of a write:
    1. position MUST indicate an increase of data.size over its pre-write state, and length must be the greater of (the pre-write length) and (the pre-write position plus data.size).
    2. Set readyState to DONE.
    3. Dispatch a progress event called write
    4. Dispatch a progress event called writeend
    5. Terminate this overall set of steps.

Blob data
The blob to write.
INVALID_STATE_ERR
A user called write while readyState was WRITING.
void seek ()

Seek sets the file position at which the next write will occur.

Seek may not be called while the FileWriter is in the WRITING state.

long long offset

An absolute byte offset into the file. If offset is greater than length, length is used instead. If offset is less than zero, length is added to it, so that it is treated as an offset back from the end of the file. If it is still less than zero, zero is used.

INVALID_STATE_ERR
A user called seek while readyState was WRITING.
void truncate ()

Changes the length of the file to that specified. If shortening the file, data beyond the new length MUST be discarded. If extending the file, the existing data MUST be zero-padded up to the new length.

When the truncate method is called, user agents MUST run the steps below (unless otherwise indicated).

  1. If readyState is WRITING, throw a FileException with error code INVALID_STATE_ERR and terminate this overall series of steps.
  2. Set readyState to WRITING.
  3. If an error occurs during truncate, proceed to the error steps below.
    1. Set the error attribute; on getting the error attribute MUST be a FileError object with a valid error code that indicates the kind of file error that has occurred.
    2. Set readyState to DONE.
    3. Dispatch a progress event called error.
    4. Dispatch a progress event called writeend
    5. On getting, the length and position attributes SHOULD indicate any modification to the file.
    6. Terminate this overall set of steps.
  4. Dispatch a progress event called writestart.
  5. Return from the truncate method, but continue processing the other steps in this algorithm.
  6. Upon successful completion:
    • length MUST be equal to size.
    • position MUST be the lesser of
      • its pre-truncate value,
      • size.
    • Set readyState to DONE.
    • Dispatch a progress event called write
    • Dispatch a progress event called writeend
    • Terminate this overall set of steps.

unsigned long long size
The size to which the length of the file is to be adjusted, measured in bytes.
INVALID_STATE_ERR
A user called truncate while readyState was WRITING.

The FileWriterSync interface

This interface lets users write, truncate, and append to files using simple synchronous calls.

This interface is specified to be used only within Web Workers (WorkerUtils [[!WEBWORKERS]]).

Since this is intended to be used only with the sandboxed filesystem, it could potentially move to the filesystem spec.
readonly attribute unsigned long long position

The byte offset at which the next write to the file will occur. This MUST be no greater than length.

readonly attribute unsigned long long length

The length of the file. If the user does not have read access to the file, this MUST be the highest byte offset at which the user has written.

void write ()

Write the supplied data to the file at position. Upon completion, position will increase by data.size.

Blob data
The blob to write.
NO_MODIFICATION_ALLOWED_ERR
The user attempted to modify a read-only file.
NOT_FOUND_ERR
The path to the directory containing the file to be written does not exist, or the file does not exist and offset is nonzero.
INVALID_STATE_ERR
At the time of the call, readyState was WRITING.
SECURITY_ERR
The system has disallowed the write for security reasons.
void seek ()

Seek sets the file position at which the next write will occur.

long long offset
An absolute byte offset into the file. If offset is greater than length, length is used instead. If offset is less than zero, length is added to it, so that it is treated as an offset back from the end of the file. If it is still less than zero, zero is used.
INVALID_STATE_ERR
A user called seek while readyState was WRITING.
void truncate ()

Changes the length of the file to that specified. If shortening the file, data beyond the new length MUST be discarded. If extending the file, the existing data MUST be zero-padded up to the new length.

Upon successful completion:

  • length MUST be equal to size.
  • position MUST be the lesser of
    • its pre-truncate value,
    • size.

unsigned long long size
The size to which the length of the file is to be adjusted, measured in bytes.
NO_MODIFICATION_ALLOWED_ERR
The user attempted to modify a read-only file.
NOT_FOUND_ERR
The file to be truncated does not exist.
SECURITY_ERR
The system has disallowed the truncation for security reasons.

Errors and Exceptions

Error conditions can occur when attempting to write files. The list below of potential error conditions is informative, with links to normative descriptions of error codes:

The directory containing the file being written may not exist at the time one of the asynchronous write methods or synchronous write methods is called. This may be due to it having been moved or deleted after a reference to it was acquired (e.g. concurrent modification with another application).
See NOT_FOUND_ERR.

The file being written may have been removed. If the file is not there, writing to an offset other than zero is not permitted.
See NOT_FOUND_ERR.

A file may be unwritable. This may be due to permission problems that occur after a reference to a file has been acquired (e.g. concurrent lock with another application).
See NO_MODIFICATION_ALLOWED_ERR.

User agents MAY determine that some files are unsafe for use within web applications. Additionally, some file and directory structures may be considered restricted by the underlying filesystem; attempts to write to them may be considered a security violation. See the security considerations.
See SECURITY_ERR.

A web application may attempt to initiate a write, seek, or truncate via a FileWriter in the WRITING state.
See INVALID_STATE_ERR.

During the writing of a file, the web application may itself wish to abort (see abort()) the call to an asynchronous write method.
See ABORT_ERR.

A web application may request unsupported line endings. See SYNTAX_ERR.

The FileError Interface

This interface extends the FileError interface described in [[!FILE-API]] to add several new error codes. It is used to report errors asynchronously. The FileWriter object's error attribute is a FileError object, and is accessed asynchronously through the onerror event handler when error events are generated.

const unsigned short NOT_FOUND_ERR = 1
const unsigned short SECURITY_ERR = 2
const unsigned short ABORT_ERR = 3
const unsigned short NOT_READABLE_ERR = 4
const unsigned short ENCODING_ERR = 5
const unsigned short NO_MODIFICATION_ALLOWED_ERR = 6
const unsigned short INVALID_STATE_ERR = 7
const unsigned short SYNTAX_ERR = 8
const unsigned short QUOTA_EXCEEDED_ERR = 10
readonly attribute unsigned short code
The code attribute MUST return one of the constants of the FileError error, which MUST be the most appropriate code from the Error Code Descriptions.

The FileException exception

This interface extends the FileException interface described in [[!FILE-API]] to add several new error codes. Any errors that need to be reported synchronously, including all that occur during use of the synchronous write methods for Web Workers [[WEBWORKERS]] are reported using the FileException exception.
const unsigned short NOT_FOUND_ERR = 1
const unsigned short SECURITY_ERR = 2
const unsigned short ABORT_ERR = 3
const unsigned short NOT_READABLE_ERR = 4
const unsigned short ENCODING_ERR = 5
const unsigned short NO_MODIFICATION_ALLOWED_ERR = 6
const unsigned short INVALID_STATE_ERR = 7
const unsigned short SYNTAX_ERR = 8
const unsigned short QUOTA_EXCEEDED_ERR = 10
unsigned short code
The code field MUST return one of the constants of the FileException error, which MUST be the most appropriate code from the Error Code Descriptions.

Error Code Descriptions

NameValueDescription
ABORT_ERR20 User agents MUST use this code if the read operation was aborted, typically with a call to abort().
INVALID_STATE_ERR11 User agents MUST use this code if an application attempts to initiate a write, truncate, or seek using a FileWriter which is already in the WRITING state.
NOT_FOUND_ERR8 User agents MUST use this code if:
  • the directory containing the file to be written could not be found at the time the write was processed.
  • the file to be written does not exist at the time the write was processed, and an offset other than zero is specified.
NO_MODIFICATION_ALLOWED_ERR6 User agents MUST use this code when attempting to write to a file which cannot be modified due to the state of the underlying filesystem.
QUOTA_EXCEEDED_ERR10 user agent MUST use this code if the operation failed because it would cause the application to exceed its storage quota.
SECURITY_ERR18 User agents MAY use this code if:
  • it is determined that certain files are unsafe for access within a Web application
  • it is determined that too many write calls are being made on file resources
  • it is determined that the file has changed on disk since the user selected it
This is a security error code to be used in situations not covered by any other error codes.
SYNTAX_ERR12 User agents MUST use this code when an application attempts to supply an invalid line ending specifier to the API.

Security Considerations

Basic Security Model

Most of the security issues pertaining to writing to a file on the user's drive are the same as those involved in downloading arbitrary files from the Internet. The primary difference [in the case of FileWriter] stems from the fact that the file may be continuously written and re-written, at least until such a time as it is deemed closed by the user agent. This has an impact on disk quota, IO bandwidth, and on processes that may require analysing the content of the file.

Write-Only Files

When a user grants an application write access to a file, it doesn't necessarily imply that the app should also receive read access to that file or any of that file's metadata [including length]. This specification describes a way in which that information can be kept secret for write-only files. If the application has obtained a FileWriter through a mechanism that also implies read access, those restrictions may be relaxed.

Quotas

Where quotas are concerned, user agents may wish to monitor the size of the file(s) being written and possibly interrupt the script and warn the user if certain limits of file size, remaining space, or disk bandwidth are reached.

Other Standard Techniques

Other parts of the download protection tool-chain such as flagging files as unsafe to open, refusing to create dangerous file names, and making sure that the mime type of a file matches its extension should naturally be applied.

Acknowledgements

Thanks to Arun Ranganathan for his File API, Opera for theirs, and Robin Berjon both for his work on various file APIs and for ReSpec.