W3C home > Mailing lists > Public > www-html@w3.org > April 2000

Re: SourceXchange wish

From: Clover Andrew <aclover@1VALUE.com>
Date: Mon, 3 Apr 2000 16:19:43 +0200
Message-ID: <5F78AA062F6AD311A59000508B4AAF6D092AF3@pcs02>
To: "'www-html@w3.org'" <www-html@w3.org>
James Salsman <j.salsman@bovik.org> wrote:

> I've put a corresponding wish up on SourceXchange:
>   http://www.sourcexchange.com/WishDetail?wishID=227
> Anybody who would like to sponsor this development should please 
> submit an official SourceXchange RFP and/or comment the wish.

Looks good. Only problem is that it doesn't state which platform(s)
the feature needs to work on, or whether it means just general core
support for having extra button(s) there that launch something to
capture input. Microphone input would need drivers for the Windows
WAVE API, OSS/Free, whatever the Mac uses, and so on.

(RISC OS, of course, doesn't *have* a mic input API, so those
chaps from comp.sys.acorn who complained are probably a bit
stuffed anyway. Audio input cards were never really very popular
for some reason.)

> in pursuit of backward-compatibility it is best to emphasize
> compatibility over backwardness. If MSIE and NS stop interpreting
> ACCEPT as a filename pattern (which I hope they both already have;
> I haven't checked lately)

Well, neither developer.netscape.com nor msdn.microsoft.com
currently document ACCEPT as even existing; certainly I wasn't
aware of either browser using it as a filename match until you said
so. I don't know where/when this usage was documented, but
hopefully most web authors were, like me, unaware of it, making
usage of this "feature" low.

> Yes, Client-file-maxlength would be useful for an ultra-thin 
> client with limited buffer memory, for example a wireless phone 
> with only a few MB of recording RAM.

Yes, I understood that; I just couldn't see what the server might
usefully do with such information. Maybe it could offer to accept
chunks of audio at a time and then stick them back together; but
then, there'd probably be no reason not to also allow this
functionality for ultra-obese-clients too. (Not that I'm calling
current browsers fatties, obviously, for that would be rude.)

> All of these pie-in-the-sky features are distractions until the 
> basics are implemented on common browsers.

Fair enough then.

> And about the security considerations, lets just hope that 
> Java/J/ECMAscript and the DOMs aren't allowing write access to 
> the INPUT TYPE=FILE VALUE attributes and submitting forms by 
> themselves these days.

Luckily Microsoft and Netscape have indeed noticed this, and both
have made file input VALUE attributes read-only (you can write to
them but it fails silently). This is contrary to the documentation
at msdn.microsoft.com though. (Which says value and outerHTML are
both read/write.)

I think I've tested and ruled out most possible security problems
in Internet Explorer's file inputs, but to be honest the range
of methods and properties it exposes is so mind-bogglingly
complex that I can't say for sure. I'm slightly concerned that
IE 5.5's fireEvent method might be a problem if it can make
keypress events happen, but I haven't tried 5.5 so I wouldn't
know. I expect it's safe.

The nearest I can think of to a file-stealing exploit along these
lines is a label saying, "Type C:\Secret\file.txt into this
box little child" over a text box that when you click on, the
focus goes to a file input that has been positioned off-screen.
Everything you type into the file input box gets copied into the
text box on a poll event. This would only work if the user didn't
notice the lack of caret and was also thick. It's not a very
good exploit, is it?

-- 
Andrew Clover
Technical Support
1VALUE.com AG
Received on Monday, 3 April 2000 10:23:28 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 27 March 2012 18:15:43 GMT