W3C home > Mailing lists > Public > public-html-bugzilla@w3.org > July 2011

[Bug 13119] Make the @value attribute in <input> when type="file" work as a suggestion for the OS file picker

From: <bugzilla@jessica.w3.org>
Date: Thu, 07 Jul 2011 21:52:48 +0000
To: public-html-bugzilla@w3.org
Message-Id: <E1QewV6-0006E6-Vu@jessica.w3.org>
http://www.w3.org/Bugs/Public/show_bug.cgi?id=13119

Jonas Sicking <jonas@sicking.cc> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |jonas@sicking.cc

--- Comment #7 from Jonas Sicking <jonas@sicking.cc> 2011-07-07 21:52:47 UTC ---
I agree with Boris, it's unlikely that we'd implement this in Firefox. It's
simply too easy to trick the user into selecting a file that they don't intend
to share. Here's one attack scenario:

1. Add a <input type=file value="/etc/passwd"> on a page
2. Use CSS to make the <input> 1x1 pixels large
3. Put a <a href="money.html">Click here for free money</a> link on the page
4. Use javascript to detect when the user hovers the above link
5. Use CSS to position the <input> just under the cursor.

Once the user attempts to click the link it will instead open a filepicker.
Most people's reaction to this would be "get out of my way stupid dialog, I
want to click my free-money link" and simply press "OK" in the file picker.

This is generally known as the "whatever button". When faced with a dialog
people generally don't bother reading its contents but instead think "whatever"
and press any button that will allow them to continue with their task.

-- 
Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.
Received on Thursday, 7 July 2011 21:52:50 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 7 January 2015 16:31:13 UTC