W3C home > Mailing lists > Public > whatwg@whatwg.org > September 2009

[whatwg] Fakepath revisited

From: Alex Henrie <alexhenrie24@gmail.com>
Date: Mon, 7 Sep 2009 02:24:12 -0600
Message-ID: <e89c552e0909070124x587c327fi78546f516442e9fa@mail.gmail.com>
On Mon, Sep 7, 2009 at 12:35 AM, Simon Pieters<simonp at opera.com> wrote:
> On Fri, 04 Sep 2009 20:07:19 +0200, Alex Henrie <alexhenrie24 at gmail.com>
> wrote:
>
>> implementing
>> fakepath would require teaching every web developer to use
>> foo.value.substr(12) or foo.files[0] instead of foo.value. Confusing
>> and unintuitive behavior like this makes HTML more difficult to learn,
>> and this added cost of learning should not be ignored either.
>
> IE7 (and IE8 in quirks and compat view modes) and earlier versions of
> Firefox (and earlier versions of WebKit?) exposed the full path, so Web
> developers already had to hack out a substring to get the file name.

Expecting developers to hack out a substring at all will only lead to
more bad designs. For example, Linux and Mac OS allow filenames to
contain backslashes. So if the filename was "up\load.txt" then
foo.value would be "C:\fakepath\up\load.txt" which could easily be
mistaken for "load.txt". Fakepath will actually encourage developers
to fall into this trap, which just goes to show that it is not a
perfect solution.

On Sat, Sep 5, 2009 at 7:46 PM, timeless<timeless at gmail.com> wrote:
> On Sat, Sep 5, 2009 at 12:27 PM, Nils Dagsson
> Moskopp<nils-dagsson-moskopp at dieweltistgarnichtso.net> wrote:
>> Also, we could settle this. A sizable non-exhaustive list of problematic
>> sites could end this discussion soon. Just sayin'.
>
> Let's get biblical. Precisely how sizable is sufficient for us not to
> destroy Sodom ?
>
> The fact is that we want users to be able to upgrade routers. Routers
> that users don't upgrade to later firmware are security nightmares.
> Firefox recently announced a feature to encourage users to upgrade
> Flash. Saying that we don't want our users to upgrade their routers
> would sound disingenuous right about now. And routers are interesting
> things, there have been some fairly cool attacks on them using
> browsers (kinda like Flash).

>From what I've seen, home router firmwares are rarely updated even
though they should be. Also, I suspect that if the manufacturers of
the affected routers aren't interested in releasing updates to make
them work in non-fakepath browsers like Firefox, they may not be
interested in releasing updates for them at all. A specific list of
affected routers would go a long way to help us determine the
frequency and severity of their vulnerabilities, and whether firmware
updates are available to resolve them.

Incidentally, it would be really cool if the routers automatically
downloaded and installed their own updates. Automatic updates would
provide much more consistent security than asking end users to
regularly check for and install updates on their own.

> Sometimes it'd be nice if people were willing to trust browser
> vendors. Sometimes we aren't going to be able to release all of our
> research. But really, if there's a business case strong enough to
> prevent us from doing something we've announced we intended to do, and
> that something would have reduced our code complexity, you can be sure
> that it meant there was a reason. In all likelihood, the engineers
> hate the fact that they're doing it, but there's a reason, and it had
> to be pretty darn good for engineering to cave.
>
> (Speaking as an engineer who does not enjoy caving, but who is glad to
> be able to ship a product once in a while.)

Essentially, you are choosing to trade long-term good design for
short-term compatibility. It's the quick and easy path, and it's not a
good idea. It would be like writing specifications for the IE7 (or
IE6) rendering engine and then declaring them to be the new standard.
Sure, sites that were only tested in IE7 would continue to work
perfectly, and you could throw in some cool new features too, but it
wouldn't fix the bugs that make IE7 hard to work with in the first
place. IE8 tries to offer the best of both worlds by having a
"Compatibility View" button--why can't fakepath just be another part
of this one-click workaround?

I know that I don't get to write the standard; the decision is
ultimately not up to me. If the major browser vendors agree to
standardize on fakepath then myself and other web developers will just
have to live with it. All I can do is share my perspective and hope it
makes a difference.

-Alex
Received on Monday, 7 September 2009 01:24:12 UTC

This archive was generated by hypermail 2.3.1 : Monday, 13 April 2015 23:08:52 UTC