- From: Ian Hickson <ian@hixie.ch>
- Date: Fri, 22 Sep 2006 17:15:56 +0000 (UTC)
- To: public-webapi@w3.org
I'm concerned about the open() method on the FileDialog interface. It seems like it would make it possible, through an attack like the famous fast clicking game, to cause a user to select a file (probably at random, but from the user's home directory, so likely a confidential file). I would feel much more comfortable if the FileList API was provided merely as an extension to the HTMLInputElement interface, thus requiring authors to use an <input type=file> control, and requiring users to click the Browse button before the dialog would appear. (UAs can then guarentee that the fast clicking game attack will be unsuccessful, by positioning the file dialog such that the button location doesn't coincide with a sensitive part of the dialog.) -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Friday, 22 September 2006 17:16:10 UTC