W3C home > Mailing lists > Public > whatwg@whatwg.org > August 2010

[whatwg] Input URL State and Files object

From: James May <whatwg@fowlsmurf.net>
Date: Tue, 3 Aug 2010 16:18:15 +1000
Message-ID: <AANLkTikUtNZd9+QRFj49fAUL3cgi9vB5V5xhrxG6_GKO@mail.gmail.com>
>> Why wouldn't<input type=file> ?be usable for this? You should be able to
>> drag any file to that, just like you can type in a URL in Windows in an
>> open file dialog box.
>>
>
> <input type="file"> would be usable.
>
> Were this implemented:
>
> When a user through selection, click+drag or manual entry of a URL
> should the browser still submit an Origin request header? It seems that CORS
> doesn't come
> into effect here -- but at the same time, it'd be handy for logging purposes
> and added security.
>
> When a cross-site resource is fetched via CORS, the agent submits an
> "Origin" header.
> A secure site (such as a bank), may always return a Forbidden response if
> the "Origin" header is set;
> blocking any kind of cross-site sharing, even sharing attempted by a user
> (through an <input type="file"> field).
>

On Windows at least, when put a URL in the open dialog the shell
downloads it then passes a temporary file. The browser never gets the
source URL - so it'd be difficult without re-implementing the dialog
(undesirable).  Plus user control, and all that.


-- James
Received on Monday, 2 August 2010 23:18:15 UTC

This archive was generated by hypermail 2.3.1 : Monday, 13 April 2015 23:08:59 UTC