- From: <bugzilla@jessica.w3.org>
- Date: Thu, 07 Jul 2011 21:52:48 +0000
- To: public-html-bugzilla@w3.org
http://www.w3.org/Bugs/Public/show_bug.cgi?id=13119
Jonas Sicking <jonas@sicking.cc> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |jonas@sicking.cc
--- Comment #7 from Jonas Sicking <jonas@sicking.cc> 2011-07-07 21:52:47 UTC ---
I agree with Boris, it's unlikely that we'd implement this in Firefox. It's
simply too easy to trick the user into selecting a file that they don't intend
to share. Here's one attack scenario:
1. Add a <input type=file value="/etc/passwd"> on a page
2. Use CSS to make the <input> 1x1 pixels large
3. Put a <a href="money.html">Click here for free money</a> link on the page
4. Use javascript to detect when the user hovers the above link
5. Use CSS to position the <input> just under the cursor.
Once the user attempts to click the link it will instead open a filepicker.
Most people's reaction to this would be "get out of my way stupid dialog, I
want to click my free-money link" and simply press "OK" in the file picker.
This is generally known as the "whatever button". When faced with a dialog
people generally don't bother reading its contents but instead think "whatever"
and press any button that will allow them to continue with their task.
--
Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.
Received on Thursday, 7 July 2011 21:52:50 UTC