W3C home > Mailing lists > Public > whatwg@whatwg.org > May 2012

Re: [whatwg] Make files attribute of the input element writable

From: Maciej Stachowiak <mjs@apple.com>
Date: Tue, 22 May 2012 21:16:10 -0700
Message-id: <87657129-66FC-4FB1-AD44-B7AE8B64807E@apple.com>
To: Nico Weber <thakis@chromium.org>
Cc: whatwg@whatwg.org

It seems like making FileList mutable would serve the same use case and would also be more flexible (as you could upload a set of files collected from possibly multiple sources). And it seems like adding is a more likely desired behavior than replacing when dragging files onto a multi-file input.

I have not yet fully thought through the security implications of either case. Do you have any security analysis you could share? For instance, is there an exhaustive list of ways a Web page could obtain a FileList, and are we confident that all are safe for this use?

Also: wouldn't anyone doing fancy drag-n-drop file upload be likely to use XHR for upload rather than a form submission?

Cheers,
Maciej

On May 22, 2012, at 10:41 AM, Nico Weber <thakis@chromium.org> wrote:

> Hi,
> 
> The files attribute of the input element is currently marked readonly
> [1], to protect from `myInput.files = "/etc/passwd"; myForm.submit()`.
> Since its type is now FileList and not string, that's no longer
> necessary.
> 
> Making the attribute writable would allow setting the files property
> of an input element to dataTransfer.files from a drop handler. For
> example, I would like to use this to create a larger drop-target for a
> file input. Here's one request for this functionality:
> http://stackoverflow.com/questions/8006715/drag-drop-files-into-standard-html-file-input
> 
> Can the readonly restriction be removed from the spec?
> 
> Nico
> 
> 
> 1: http://www.whatwg.org/specs/web-apps/current-work/multipage/the-input-element.html#the-input-element
Received on Wednesday, 23 May 2012 04:17:06 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 30 January 2013 18:48:08 GMT