[whatwg] input type="file" value inconsistencies

Daniel Veditz wrote:
> I'd like the WHAT-WG specs to specify the expected value of a file input
> control that has been filled by the user.
> 
> The Web-Forms 2 spec says only the filename, not the path, is uploaded to
> the server, and this seems to be general browser practice. But what about
> the value seen by scripts in the page? IE, Mozilla, and Safari reveal the
> full pathname while Opera returns only the filename.
> 
> Mozilla has a very old privacy request that we limit the .value to just the
> filename as uploaded with the form
> (https://bugzilla.mozilla.org/show_bug.cgi?id=143220). We've also gotten
> advocacy that we WONTFIX the bug because there are intranet apps that use
> the full path value, and in fact don't upload the files themselves they
> just use the control as a convenient picker to get the path (they use
> script to move those values into a text input control).
> 
> Opera's approach is privacy preserving and consistent with the spec for the
> uploaded value.

Honesly, I think we should simply do what opera does. I'm sorry it'll 
break a few intranet apps, but we've said security over compatibility 
many times before.

Ideally the full pathname would be available through other means to 
trusted pages. However trusted pages is not something that there are any 
specs for yet. Unfortunately.

/ Jonas

Received on Wednesday, 14 November 2007 02:33:30 UTC