[whatwg] Proposal: API to ask the user for a file
ian at hixie.ch
Mon Apr 29 13:41:51 PDT 2013
On Mon, 29 Apr 2013, JC wrote:
> So far the only way to ask a user to select a file (e.g. to upload an
> attachment in a mail client) without showing the ugly "file input" UI is
> to create one of these elements, hide it somehow, and invoke the "click"
> method on it and listen for the "changed" event.
You can also just accept a drag-and-dropped file.
Having the <input type=file> UI hidden is probably not supposed to be
possible (though it's hard for us to stop it), because it means you can
trick people into clicking the button and bringing up the dialog, which
can, if you know what browser/OS they're using, let you in some cases
trick them into uploading a particular file. (It's gotten harder with
browsers going away from allowing arbitrary text input into that
control, though, so this might no longer be that big a deal.)
> The minimum requirements would be to be able to provide a string for the
> dialog title, a string for the accepted mime types and a boolean to
> specify whether multiple files can be selected at once, the return value
> would be a FileList object . This is essentially the same
> functionality offered by the existing file input element  with the
> only addition of a title for the dialog.
We could maybe do this if browser vendors are comfortable with it... it's
definitely something we want to be really careful about, though. For
example, we don't want to set up a situation where a site can trigger a
download of a sensitive file (e.g. bank account details) and then trick
the user into uploading it by asking the user to "Select the file you want
to protect from uploading" or "For debugging purposes, select the newest
file in this directory, which is a log file we just generated".
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
More information about the whatwg