Can Websites Read Your Files Without Uploading Them?

Modern browsers implement a strict permission model that governs how websites interact with your device. This model is designed around a principle called "least privilege"—websites start with almost no access and must request specific permissions for sensitive operations.

For file access specifically, the rules are clear:

• Websites cannot browse your file system or see what files exist
• File access requires explicit user action (clicking a file input or drag-and-drop)
• Only the specific files you select are accessible to the website
• Permission is granted per-session and does not persist across page reloads

This permission model is enforced by the browser itself, not by the website. A malicious website cannot bypass these restrictions through JavaScript or any other client-side code.

When you select a file through a website's file picker, the browser creates a controlled reference to that file. The website receives only what is necessary to work with your selection:

• The file name (but not its full path on your system)
• The file size and type
• The ability to read the file's contents
• No access to other files in the same folder
• No access to file metadata like creation date or author

Importantly, the browser hides your actual file system structure. If you select a file from /Users/name/Documents/sensitive/contract.pdf, the website only sees "contract.pdf"—it cannot determine the folder structure or that a "sensitive" directory exists.

The File System Access API, a newer browser feature, can request broader access to directories. However, this requires an additional explicit permission prompt and is clearly disclosed to users.

Browsers run websites inside a security "sandbox"—an isolated environment that limits what code can do. The sandbox provides multiple layers of protection:

• Process isolation: Each browser tab runs in a separate process with its own memory space
• Origin restrictions: Websites can only access data from their own domain
• API limitations: Dangerous system APIs are simply not exposed to web code
• Content Security Policy: Websites can further restrict their own capabilities

The sandbox means that even if a website contains malicious code, it cannot escape the browser's restrictions to access your file system, install software, or read data from other websites. This architecture has been refined over decades and is continuously tested by security researchers.

You do not need to trust claims about file handling—you can verify them yourself using tools built into every modern browser. Here is how to check whether a website uploads your files:

Step 1: Open Developer Tools
Press F12 or right-click and select "Inspect". Navigate to the "Network" tab.

Step 2: Clear existing requests
Click the clear button (usually a circle with a line) to remove previous network activity so you can see only new requests.

Step 3: Select a file and process it
Use the website's file picker to select a document, then trigger whatever processing operation you want to test (merge, convert, etc.).

Step 4: Examine the network activity
Look for any requests that appear during processing. For a truly offline tool, you should see no network requests at all. If you see requests, click on them to examine what data is being sent.

For a complete verification guide including offline testing, see How to Verify Plain.

The browser security model provides strong guarantees about file access. Websites cannot secretly read or upload files—they can only access what you explicitly provide, and you can verify their behavior using standard developer tools.

This security architecture is what makes browser-based offline tools possible. When a tool like Plain processes files locally, the browser's sandbox ensures that your documents remain on your device. The technology that protects you from malicious websites is the same technology that enables private, local processing.

For details on how Plain implements local processing, see How Plain Works.