[whatwg] Exposing filenames in DataTransfer

Anne van Kesteren annevk at opera.com
Tue Oct 26 03:15:41 PDT 2010


On Thu, 21 Oct 2010 02:20:57 +0200, Daniel Cheng <dcheng at chromium.org>  
wrote:
> To clarify, I wasn't proposing that pages need to know details of a
> particular OS. Things like "text/plain", "text/uri-list", "text/html",  
> etc. are automatically mapped by the UA to whatever the appropriate  
> platform
> idiom is.
>
> I just thought it would be useful to also expose things that the UA  
> itself doesn't natively understand--it just gets passed through to the  
> web content.

I was saying that if you get this on one OS but not another you might get  
pages that depend on a particular OS if not coded carefully.


> However, this led to the above problem with filenames being exposed. This
> can, to some extent, be mitigated by blacklisting certain types; I'm just
> wondering if people feel that the additional utility is worth the risk of
> potentially exposing file paths because of a chatty file manager, or if
> anyone has any ideas on how to mitigate this risk.

It should probably work with a whitelist.


-- 
Anne van Kesteren
http://annevankesteren.nl/



More information about the whatwg mailing list