[whatwg] Exposing filenames in DataTransfer

Daniel Cheng dcheng at chromium.org
Mon Oct 18 13:59:40 PDT 2010

I've been working on better support of arbitrary MIME types in WebKit for
some time, and I had some implementation questions. In the past, UAs seem to
have gone out of their way to make sure full filesystem paths aren't exposed
to the Javascript (e.g. in the file input control). When I did the work for
WebKit, I implemented the web dragging clipboard as a simple reflection of
the native dragging clipboard.

However, this leads to issues like file system paths being exposed through
properties like "x-special/gnome-icon-list" or even "text/plain". What is
the expected behavior here? Mirroring the native dragging clipboard allows
for a much richer interaction with the system, but I'm not sure if we need
to go out of our way to try to scrub all paths from the drag. After all, if
you're dropping the file on the page, you're already exposing the contents
of the file, which are probably much more interesting than just the path.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20101018/903098e0/attachment.htm>

More information about the whatwg mailing list