W3C home > Mailing lists > Public > whatwg@whatwg.org > October 2010

[whatwg] Exposing filenames in DataTransfer

From: Robert O'Callahan <robert@ocallahan.org>
Date: Tue, 19 Oct 2010 12:45:45 +1300
Message-ID: <AANLkTi=j2mgHUz-HkvrFs_46ExP-mKDLfBb_reUV=hsT@mail.gmail.com>
On Tue, Oct 19, 2010 at 9:59 AM, Daniel Cheng <dcheng at chromium.org> wrote:

> However, this leads to issues like file system paths being exposed through
> properties like "x-special/gnome-icon-list" or even "text/plain". What is
> the expected behavior here? Mirroring the native dragging clipboard allows
> for a much richer interaction with the system, but I'm not sure if we need
> to go out of our way to try to scrub all paths from the drag. After all, if
> you're dropping the file on the page, you're already exposing the contents
> of the file, which are probably much more interesting than just the path.
> Thoughts?

The path can expose interesting metadata, such as the local username (useful
for dictionary attacks!), the names of file servers, names of projects, etc.
Obviously the filename can expose some too, but hopefully the user's more
aware of that.

"Now the Bereans were of more noble character than the Thessalonians, for
they received the message with great eagerness and examined the Scriptures
every day to see if what Paul said was true." [Acts 17:11]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20101019/1c383498/attachment.htm>
Received on Monday, 18 October 2010 16:45:45 UTC

This archive was generated by hypermail 2.3.1 : Monday, 13 April 2015 23:09:01 UTC