Skip to main content
Solved

Understanding Security Restrictions: Drag and Drop Disabled When Aurena Agent is Enabled

Hi everyone,

I’ve noticed that the drag and drop area is not enabled when the IFS Aurena Extension (Aurena Agent)  is installed and enabled for the environment the customer is working on. 

I understand that this is not a bug, but rather a feature. From what I gather, this is partly due to security restrictions in modern web browsers. Can anyone provide more details on these security restrictions? Specifically, why does drag and drop functionality conflict with the Aurena Agent?

I found some related information in this article, but I have a customer who is curious to hear more insights and experiences from the community. Are there any workarounds or best practices for users who rely on both features?

Thanks in advance for your expertise!

Best regards,
/ashley

2 replies

deshan.ekanayake
Rank
Userlevel 2
Badge +4

Hi @asjaus,

Thanks for posting in this forum.

The Aurena Agent consist of two main components: Aurena browser extension and Aurena Agent windows application. The extension facilitates communication between the browser and the Agent passing needed values fetching from the browser. The limitation is on the browser end where it doesn’t have the full file path information which the Agent needs to execute all greatly added functionalities.

This is not a security vulnerability in Aurena Agent or the extension. Modern web browsers have implemented security measures to protect users' privacy and data. One of these measures is the restriction on accessing the full file path from drag-and-drop(And also browser’s file picker) operations. Allowing web applications to access full file paths could expose sensitive information and pose security risks, in general sense from a browser’s perspective. Consequently, web browsers do not permit this functionality, ensuring that users' file systems remain secure and private given the below reasons from their end.

  • Privacy Protection: Allowing web applications to access full file paths could expose sensitive information about the user's file system and potentially reveal personal or confidential data.
  • Security Risks: Access to full file paths could be exploited by malicious websites or scripts to perform unauthorized actions, such as gaining insights into the user's directory structure or targeting specific files for attacks.
  • Sandboxing: Modern web browsers operate in a sandboxed environment, isolating web content from the local file system to prevent malicious access and ensure user safety.

You could also refer these documentation.

Mozilla docs: https://developer.mozilla.org/en-US/docs/Web/API/File/name

HTML specification: https://www.w3.org/TR/FileAPI/#dfn-name

Look/search for "path" in both places.

 

Considering the current limitations, it seems unfeasible to integrate Agent functionalities with the drag-and-drop feature at this time. A practical alternative could be to enable both features with differentiated functionalities: using drag-and-drop would follow the general workflow without Agent-added functionalities, while selecting files from the ‘Agent’s file picker’ would include those additional functionalities. We can consider this as a potential roadmap item for a future release.

  1. @Mathias Dahl @Mayura Wasantha @Jitharie @diwelk 

Thanks and best regards,

Deshan

/Deshan
Mathias Dahl
Rank
Userlevel 7
Badge +31

After what Deshan wrote, I hope it's clear that we have a technical restriction on our hands, which makes it impossible to combine the use of the drag and drop feature with the Aurena Agent. 

With combine we mean use them together in the same check-in operation. This means that if drag and drop is used, we cannot execute a check-in macro or look for a view copy in the same folder. It's impossible. Period.

We can easily enable both though and if we do that we get a usability/UX problem on our hands. It is about how to communicate to the user that, if they select the file using drag and drop, they will lose features like check-in macros and view copy support.

We have several options:

1. We do nothing, and keep annoying and confusing some users

2. We provide options by which customers can control whether the two features are enabled or not and let them inform their users 

3. We try to design the UI to be as clear as possible on what happens and doesn't happen depending on if the user uses the drag and drop/Browse... area or not

4. Some combination of 2 and 3

We have a backlog item about looking into if and how we could enable both features at the same time while retaining a good UX where we don't confuse users. It's still not done though.

 

/Mathias

Reply


Terms & ConditionsCookie settings