[whatwg] Input URL State and Files object

James May whatwg at fowlsmurf.net
Mon Aug 2 23:18:15 PDT 2010


>> Why wouldn't<input type=file>  be usable for this? You should be able to
>> drag any file to that, just like you can type in a URL in Windows in an
>> open file dialog box.
>>
>
> <input type="file"> would be usable.
>
> Were this implemented:
>
> When a user through selection, click+drag or manual entry of a URL
> should the browser still submit an Origin request header? It seems that CORS
> doesn't come
> into effect here -- but at the same time, it'd be handy for logging purposes
> and added security.
>
> When a cross-site resource is fetched via CORS, the agent submits an
> "Origin" header.
> A secure site (such as a bank), may always return a Forbidden response if
> the "Origin" header is set;
> blocking any kind of cross-site sharing, even sharing attempted by a user
> (through an <input type="file"> field).
>

On Windows at least, when put a URL in the open dialog the shell
downloads it then passes a temporary file. The browser never gets the
source URL - so it'd be difficult without re-implementing the dialog
(undesirable).  Plus user control, and all that.


-- James



More information about the whatwg mailing list