W3C home > Mailing lists > Public > whatwg@whatwg.org > May 2012

Re: [whatwg] Make files attribute of the input element writable

From: Maciej Stachowiak <mjs@apple.com>
Date: Wed, 23 May 2012 00:47:30 -0700
Message-id: <8414C7A3-9476-4D6A-B6E3-3AA522E7398F@apple.com>
To: Adam Barth <w3c@adambarth.com>
Cc: whatwg@whatwg.org, Nico Weber <thakis@chromium.org>

On May 22, 2012, at 11:57 PM, Adam Barth <w3c@adambarth.com> wrote:

> On Tue, May 22, 2012 at 9:16 PM, Maciej Stachowiak <mjs@apple.com> wrote:
>> It seems like making FileList mutable would serve the same use case and would also be more flexible (as you could upload a set of files collected from possibly multiple sources). And it seems like adding is a more likely desired behavior than replacing when dragging files onto a multi-file input.
>> 
>> I have not yet fully thought through the security implications of either case. Do you have any security analysis you could share? For instance, is there an exhaustive list of ways a Web page could obtain a FileList, and are we confident that all are safe for this use?
> 
> A FileList is just a list of File objects:
> 
> http://www.w3.org/TR/FileAPI/#dfn-filelist
> 
> Each File object represents the actual file, which means you can use
> the File API to read the contents of the files on the client already.
> 
>> Also: wouldn't anyone doing fancy drag-n-drop file upload be likely to use XHR for upload rather than a form submission?
> 
> Not necessarily.  In the applications that Nico was working on, he
> wanted to combine the file upload with other form elements into one
> POST to the server.

Since XHR can upload an arbitrary FormData which it could construct from a FileList, I guess there is no additional risk. 

But, by the same token, XHR upload of FormData[1] already serves this use case in a more flexible way. You can even make a FormData from the contents of an html form and then add additional File objects. Making the change would (afaict) not serve any new use cases. At most it would be a convenience.

Cheers,
Maciej
 
[1] <http://www.w3.org/TR/XMLHttpRequest/#interface-formdata>/
Received on Wednesday, 23 May 2012 07:48:22 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 30 January 2013 18:48:08 GMT