W3C home > Mailing lists > Public > whatwg@whatwg.org > November 2007

[whatwg] input type="file" value inconsistencies

From: Jonas Sicking <jonas@sicking.cc>
Date: Wed, 14 Nov 2007 02:33:30 -0800
Message-ID: <473ACEFA.1060602@sicking.cc>
Daniel Veditz wrote:
> I'd like the WHAT-WG specs to specify the expected value of a file input
> control that has been filled by the user.
> 
> The Web-Forms 2 spec says only the filename, not the path, is uploaded to
> the server, and this seems to be general browser practice. But what about
> the value seen by scripts in the page? IE, Mozilla, and Safari reveal the
> full pathname while Opera returns only the filename.
> 
> Mozilla has a very old privacy request that we limit the .value to just the
> filename as uploaded with the form
> (https://bugzilla.mozilla.org/show_bug.cgi?id=143220). We've also gotten
> advocacy that we WONTFIX the bug because there are intranet apps that use
> the full path value, and in fact don't upload the files themselves they
> just use the control as a convenient picker to get the path (they use
> script to move those values into a text input control).
> 
> Opera's approach is privacy preserving and consistent with the spec for the
> uploaded value.

Honesly, I think we should simply do what opera does. I'm sorry it'll 
break a few intranet apps, but we've said security over compatibility 
many times before.

Ideally the full pathname would be available through other means to 
trusted pages. However trusted pages is not something that there are any 
specs for yet. Unfortunately.

/ Jonas
Received on Wednesday, 14 November 2007 02:33:30 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 30 January 2013 18:47:42 GMT