[whatwg] Exposing filenames in DataTransfer
Anne van Kesteren
annevk at opera.com
Tue Oct 26 03:15:41 PDT 2010
On Thu, 21 Oct 2010 02:20:57 +0200, Daniel Cheng <dcheng at chromium.org>
wrote:
> To clarify, I wasn't proposing that pages need to know details of a
> particular OS. Things like "text/plain", "text/uri-list", "text/html",
> etc. are automatically mapped by the UA to whatever the appropriate
> platform
> idiom is.
>
> I just thought it would be useful to also expose things that the UA
> itself doesn't natively understand--it just gets passed through to the
> web content.
I was saying that if you get this on one OS but not another you might get
pages that depend on a particular OS if not coded carefully.
> However, this led to the above problem with filenames being exposed. This
> can, to some extent, be mitigated by blacklisting certain types; I'm just
> wondering if people feel that the additional utility is worth the risk of
> potentially exposing file paths because of a chatty file manager, or if
> anyone has any ideas on how to mitigate this risk.
It should probably work with a whitelist.
--
Anne van Kesteren
http://annevankesteren.nl/
More information about the whatwg
mailing list