W3C home > Mailing lists > Public > public-webapi@w3.org > September 2006

Re: [File Upload] Security problems with File Upload

From: Robin Berjon <robin.berjon@expway.fr>
Date: Fri, 22 Sep 2006 19:25:42 +0000
Message-Id: <21CF7A69-176D-4C4A-99EF-BA11D6A776DA@expway.fr>
Cc: public-webapi@w3.org
To: Ian Hickson <ian@hixie.ch>

Hi Ian,

On Sep 22, 2006, at 17:15, Ian Hickson wrote:
> It seems like it would make it possible, through an attack like the  
> famous
> fast clicking game, to cause a user to select a file (probably at  
> random,
> but from the user's home directory, so likely a confidential file).

There are well-known workarounds for this, notably delayed activation  
of the dialogue. This could be noted in the specification.

> I would feel much more comfortable if the FileList API was provided  
> merely
> as an extension to the HTMLInputElement interface, thus requiring  
> authors
> to use an <input type=file> control, and requiring users to click the
> Browse button before the dialog would appear.

The problem with this solution is that it then requires that the  
environment supports <input type=file>, which isn't always the case.

-- 
Robin Berjon
    Senior Research Scientist
    Expway, http://expway.com/
Received on Friday, 22 September 2006 21:12:55 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 8 January 2008 14:18:55 GMT