[whatwg] File Upload Control

Ian Hickson ian at hixie.ch
Sun Aug 29 10:34:56 PDT 2004 

On Thu, 26 Aug 2004, Greg Kilwein wrote:
> 
> I say that disallowing styling of the file upload control is a dubious 
> "security" measure at best, as sites can currently obscure the browse 
> button (if it exists) by layering other items over the top of it, or by 
> making sure that the control is partially cut off on the side of the 
> screen by using script to reposition the element.

Oh I totally agree, it's just one of what must be a number of 
complementary aspects to protect file upload controls.


> Given this example, I say the statement that file controls should not be 
> styled for security reasons is invalid, since they can already be 
> massaged to remove the browse button.  Since there already exists the 
> ability to fool the user, given my above example, why should they not be 
> stylable?  I have yet to hear a compelling argument for the inability to 
> style the file upload control.

The argument that UAs use is the one I gave -- they are worried about 
people being tricked.


> If there were a standardized way to style this control, it would help 
> the appearance of web apps.  If we are to make web apps "first-rate 
> citizens", the ability to change even the simplest thing such as the 
> font in the file upload control would allow the ability to lend more 
> uniformity to the application.

Native applications rarely change their fonts to be different than the 
native UI, actually, so this is not necessarily a good argument.


> Native apps have the ability now to create any sort of file upload 
> control using whatever style is desired - why can't "first-rate" web 
> apps?

Because native apps are fully trusted, while HTML applications don't have 
that level of trust, even when run in their own window.


In any case, styling of controls is an issue more relevant to the CSS 
working group (although WHATWG might eventually address this in the Web 
Controls spec, if the W3C doesn't get there first).

Cheers,
-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

More information about the whatwg mailing list