- From: <bugzilla@jessica.w3.org>
- Date: Fri, 08 Jul 2011 10:41:16 +0000
- To: public-html-bugzilla@w3.org
http://www.w3.org/Bugs/Public/show_bug.cgi?id=13119
brunoais <brunoaiss@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |WORKSFORME
--- Comment #8 from brunoais <brunoaiss@gmail.com> 2011-07-08 10:41:14 UTC ---
(In reply to comment #7)
> I agree with Boris, it's unlikely that we'd implement this in Firefox. It's
> simply too easy to trick the user into selecting a file that they don't intend
> to share. Here's one attack scenario:
>
> 1. Add a <input type=file value="/etc/passwd"> on a page
> 2. Use CSS to make the <input> 1x1 pixels large
> 3. Put a <a href="money.html">Click here for free money</a> link on the page
> 4. Use javascript to detect when the user hovers the above link
> 5. Use CSS to position the <input> just under the cursor.
>
> Once the user attempts to click the link it will instead open a filepicker.
> Most people's reaction to this would be "get out of my way stupid dialog, I
> want to click my free-money link" and simply press "OK" in the file picker.
>
> This is generally known as the "whatever button". When faced with a dialog
> people generally don't bother reading its contents but instead think "whatever"
> and press any button that will allow them to continue with their task.
I also go with whatever. But instead, I ALWAYS use the cancel button instead of
the ok button. Still... I see what you mean...
I'll do a worksforme as this is not going to be easy enugh to implement.
--
Configure bugmail: http://www.w3.org/Bugs/Public/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.
Received on Friday, 8 July 2011 10:41:17 UTC