[whatwg] access to local path in input type="file"

Fri Mar 21 07:51:39 PDT 2008

On Fri, Mar 21, 2008 at 1:58 AM, ddailey <ddailey at zoominternet.net> wrote:
> In the code which follows, both IE7, FF(2.0), and Safari(3.1) allow the user
> to change the src attribute of an image based on her perusal of local file
> space. Opera 9.5 doesn't seem to allow access to the path data necessary for
> accomplishing this rollover effect, and I suspect that may be how it is
> supposed to be according to emerging standards. That is the situation when
> the HTML file is stored on localhost.

The web changed, today firefox only provides the leafname, not the
full path (this is a good thing for security/privacy reasons), and we
don't allow remote access to local content (this is a good thing).
Security Error: Content at
http://granite.sru.edu/~ddailey/imageUpload.htm may not load or link
to file://localhost/78255.png.

>  If however, one places the code on a server (see
>  http://granite.sru.edu/~ddailey/imageUpload.htm) then the program works from
>  none of the browsers. apologies in advance if I made a mistake :(
>
>  While I understand the possible risk of exposing a path name of the local
>  file system to script, the various use cases of allowing users to access
>  local images within HTML, the <canvas> tag and within <svg> all seem
>  self-evident to me. Is there some standard workaround to allow the user to
>  change the source of an image on a web page to one that is locally stored?

Security Error: Content at
http://www.w3.org/TR/html4/interact/forms.html may not load or link to
file:///c:/newfeatures.png.
Error: uncaught exception: Load of file:///c:/newfeatures.png denied.

data:text/html,<img src="file:///c:/newfeatures.png">

in the modern world, you shouldn't be able to embed local images from
remote content.

if a user wants to see a preview an image they can use their os, file
picker, favorite image viewer, etc.

you can silently auto submit the image and send them back a version.

> I
>  used to have a dozen mini-apps that took advantage of the ability to do this
>  (they even used to work in Netscape 4 and IE 4), but the programs have all
>  broken in the past few years in all contexts except IE -- (for example here
>  http://granite.sru.edu/~ddailey/svg/clipembed.html where the input type=file
>  script is remarkably simple).
>
>  What seems odd to me is that the browsers (except Opera) all seem to expose
>  the path data to script, despite blocking the easy use of that data. Maybe
>  I'm missing something obvious.

modern browsers will not expose path, only leaf.

>  Apologies, also, if this issue has already been discussed -- my memory seems
>  never to have been what it should have been.