- From: Drew DeVault <drew@mediacru.sh>
- Date: Wed, 25 Jun 2014 00:55:10 -0600
- To: public-html@w3.org
For well-justified security reasons, JavaScript cannot modify the value
of an input type="file". The worry is that they could set it to
"/etc/passwd" or something similar to learn about the user's filesystem.
With recent extensions to how flexible JavaScript is with File objects,
being able to create them on the fly or fetch them from drag-and-drop
events, I think it's time to revisit this choice.
// a is a File
input.files.append(a); // Should work
input.files.append('/etc/passwd'); // Should not work
All other form values allow us to modify them, and
I discussed this (briefly) with some others, and the primary concern is
that the input's FileList may no longer be readonly and might introduce
some headache for the browsers as a result.
Thoughts?
--
Drew DeVault
Received on Wednesday, 25 June 2014 13:59:18 UTC