[whatwg] input type="file" value inconsistencies
Jonas Sicking
jonas at sicking.cc
Wed Nov 14 02:33:30 PST 2007
Daniel Veditz wrote:
> I'd like the WHAT-WG specs to specify the expected value of a file input
> control that has been filled by the user.
>
> The Web-Forms 2 spec says only the filename, not the path, is uploaded to
> the server, and this seems to be general browser practice. But what about
> the value seen by scripts in the page? IE, Mozilla, and Safari reveal the
> full pathname while Opera returns only the filename.
>
> Mozilla has a very old privacy request that we limit the .value to just the
> filename as uploaded with the form
> (https://bugzilla.mozilla.org/show_bug.cgi?id=143220). We've also gotten
> advocacy that we WONTFIX the bug because there are intranet apps that use
> the full path value, and in fact don't upload the files themselves they
> just use the control as a convenient picker to get the path (they use
> script to move those values into a text input control).
>
> Opera's approach is privacy preserving and consistent with the spec for the
> uploaded value.
Honesly, I think we should simply do what opera does. I'm sorry it'll
break a few intranet apps, but we've said security over compatibility
many times before.
Ideally the full pathname would be available through other means to
trusted pages. However trusted pages is not something that there are any
specs for yet. Unfortunately.
/ Jonas
More information about the whatwg
mailing list