W3C home > Mailing lists > Public > public-html@w3.org > January 2012

Hidden file inputs [Was: Revert Request]

From: Benjamin Hawkes-Lewis <bhawkeslewis@googlemail.com>
Date: Tue, 31 Jan 2012 23:21:54 +0000
Message-ID: <CAEhSh3dp7Y=jn9Fsiowd63StG3XF_jR=qU5MKHwrVsj1jdQqsQ@mail.gmail.com>
To: Charles Pritchard <chuck@jumis.com>
Cc: Jonas Sicking <jonas@sicking.cc>, Laura Carlson <laura.lee.carlson@gmail.com>, Silvia Pfeiffer <silviapfeiffer1@gmail.com>, Sam Ruby <rubys@intertwingly.net>, Paul Cotton <Paul.Cotton@microsoft.com>, Maciej Stachowiak <mjs@apple.com>, HTML WG <public-html@w3.org>
On Tue, Jan 31, 2012 at 10:29 PM, Charles Pritchard <chuck@jumis.com> wrote:
> While I disagree with this method, I want to point out one little irking
> unresolved issue.
> <input type="file" hidden> is becoming a real thing.
>
> I don't think it's a big issue, but since a11y peoples are on this thread, I
> do want to point it out.
> This is how I'd handle it, in my current code.
>
> <button onclick="file.click()" role="file button">Add files</button>
> <input type="file" id="file" hidden />

Providing custom file inputs by delegating clicks to a hidden file
input is a tricky business, since UAs try to prevent activation of
hidden file inputs for security reasons. When they do prevent it,
"click" fails silently which makes it impossible to test for this
behavior. Getting "click" to trigger a file dialog to open therefore
depends on circumventing the UA's hidden control detection, which
means there's a high risk that code that works today will break
tomorrow when UA detection mechanisms improve.

I suppose you could argue that UAs should at least throw a security
exception when click() is called on a hidden file input as per:

"When support for a feature is disabled (e.g. as an emergency measure
to mitigate a security problem, or to aid in development, or for
performance reasons), user agents must act as if they had no support
for the feature whatsoever, and as if the feature was not mentioned in
this specification. For example, if a particular feature is accessed
via an attribute in a Web IDL interface, the attribute itself would be
omitted from the objects that implement that interface — leaving the
attribute on the object but making it return null or throw an
exception is insufficient."

   http://dev.w3.org/html5/spec/infrastructure.html#conformance-requirements

But building a good UI when such exceptions occur would be tricky. I
suppose you could throw up a modal dialog and ask the user to click a
normal file input, but that would be clunky.

I'm not sure how we can give authors powerful skinning abilities for
such controls while still allowing UAs to ensure that file dialogs
only open as a result of deliberate user action.

As an aside, what's the advantage of including role="file button" in
your markup example? Only one role would ever be used; only "button"
is defined, and that semantic is represented by the element anyway.
Possible negative effects of using the "file" token include:

   1. Byte wastage.

   2. Causing the control to be misinterpreted according to some
future definition such as "represents a file".

   3. Constraining ARIA-Next to define the "file" role to mean "button
that causes a file dialog to open" rather than whatever the spec
editors think best at the time.

--
Benjamin Hawkes-Lewis
Received on Tuesday, 31 January 2012 23:22:31 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 9 May 2012 00:17:43 GMT