[whatwg] input type="file" value inconsistencies
Michael A. Puls II
shadow2531 at gmail.com
Wed Nov 14 02:50:19 PST 2007
On 11/14/07, Daniel Veditz <dveditz at cruzio.com> wrote:
> I'd like the WHAT-WG specs to specify the expected value of a file input
> control that has been filled by the user.
> The Web-Forms 2 spec says only the filename, not the path, is uploaded to
> the server, and this seems to be general browser practice. But what about
> the value seen by scripts in the page? IE, Mozilla, and Safari reveal the
> full pathname while Opera returns only the filename.
> Mozilla has a very old privacy request that we limit the .value to just the
> filename as uploaded with the form
> (https://bugzilla.mozilla.org/show_bug.cgi?id=143220). We've also gotten
> advocacy that we WONTFIX the bug because there are intranet apps that use
> the full path value, and in fact don't upload the files themselves they
> just use the control as a convenient picker to get the path (they use
> script to move those values into a text input control).
> Opera's approach is privacy preserving and consistent with the spec for the
> uploaded value.
Opera's way is safer, but I hate it sometimes.
For example, if I make the page:
<input type="file" oninput="alert(this.value)">
and choose the file 'f:\audio\some file.ogg', I expect the alert to
(There's no harm in that exact situation.)
For browsers, I really expect options like:
[file input script access]
Reveal full path for file input = no (default) | yes with warning | yes
Full path format for file input = native (default) | file URI
Quote full path for file input = yes (default) | no
However, the spec can't say those things I think. All it can say is
that scripts should only have access to the file name (like Opera).
More information about the whatwg