- From: Drew DeVault <drew@mediacru.sh>
- Date: Wed, 25 Jun 2014 00:55:10 -0600
- To: public-html@w3.org
For well-justified security reasons, JavaScript cannot modify the value of an input type="file". The worry is that they could set it to "/etc/passwd" or something similar to learn about the user's filesystem. With recent extensions to how flexible JavaScript is with File objects, being able to create them on the fly or fetch them from drag-and-drop events, I think it's time to revisit this choice. // a is a File input.files.append(a); // Should work input.files.append('/etc/passwd'); // Should not work All other form values allow us to modify them, and I discussed this (briefly) with some others, and the primary concern is that the input's FileList may no longer be readonly and might introduce some headache for the browsers as a result. Thoughts? -- Drew DeVault
Received on Wednesday, 25 June 2014 13:59:18 UTC