W3C home > Mailing lists > Public > whatwg@whatwg.org > October 2010

[whatwg] Exposing filenames in DataTransfer

From: Anne van Kesteren <annevk@opera.com>
Date: Tue, 26 Oct 2010 12:15:41 +0200
Message-ID: <op.vk6hgfem64w2qv@anne-van-kesterens-macbook-pro.local>
On Thu, 21 Oct 2010 02:20:57 +0200, Daniel Cheng <dcheng at chromium.org>  
wrote:
> To clarify, I wasn't proposing that pages need to know details of a
> particular OS. Things like "text/plain", "text/uri-list", "text/html",  
> etc. are automatically mapped by the UA to whatever the appropriate  
> platform
> idiom is.
>
> I just thought it would be useful to also expose things that the UA  
> itself doesn't natively understand--it just gets passed through to the  
> web content.

I was saying that if you get this on one OS but not another you might get  
pages that depend on a particular OS if not coded carefully.


> However, this led to the above problem with filenames being exposed. This
> can, to some extent, be mitigated by blacklisting certain types; I'm just
> wondering if people feel that the additional utility is worth the risk of
> potentially exposing file paths because of a chatty file manager, or if
> anyone has any ideas on how to mitigate this risk.

It should probably work with a whitelist.


-- 
Anne van Kesteren
http://annevankesteren.nl/
Received on Tuesday, 26 October 2010 03:15:41 UTC

This archive was generated by hypermail 2.3.1 : Monday, 13 April 2015 23:09:01 UTC