[whatwg] input type="file" value inconsistencies

[Michael A. Puls II]

On 11/14/07, Daniel Veditz <dveditz at cruzio.com> wrote:
> I'd like the WHAT-WG specs to specify the expected value of a file input
> control that has been filled by the user.
>
> The Web-Forms 2 spec says only the filename, not the path, is uploaded to
> the server, and this seems to be general browser practice. But what about
> the value seen by scripts in the page? IE, Mozilla, and Safari reveal the
> full pathname while Opera returns only the filename.
>
> Mozilla has a very old privacy request that we limit the .value to just the
> filename as uploaded with the form
> (https://bugzilla.mozilla.org/show_bug.cgi?id=143220). We've also gotten
> advocacy that we WONTFIX the bug because there are intranet apps that use
> the full path value, and in fact don't upload the files themselves they
> just use the control as a convenient picker to get the path (they use
> script to move those values into a text input control).
>
> Opera's approach is privacy preserving and consistent with the spec for the
> uploaded value.
>

Opera's way is safer, but I hate it sometimes.

For example, if I make the page:

file://localhost/c:/Documents%20and%20Settings/user/Desktop/test.html
<input type="file" oninput="alert(this.value)">

and choose the file 'f:\audio\some file.ogg', I expect the alert to
show "file://localhost/f:/audio/some%20file.ogg".

(There's no harm in that exact situation.)

For browsers, I really expect options like:

[file input script access]
Reveal full path for file input = no (default) | yes with warning | yes
Full path format for file input = native (default) | file URI
Quote full path for file input = yes (default) | no

However, the spec can't say those things I think. All it can say is
that scripts should only have access to the file name (like Opera).

-- 
Michael