- From: Michael A. Puls II <shadow2531@gmail.com>
- Date: Wed, 14 Nov 2007 05:50:19 -0500
On 11/14/07, Daniel Veditz <dveditz at cruzio.com> wrote: > I'd like the WHAT-WG specs to specify the expected value of a file input > control that has been filled by the user. > > The Web-Forms 2 spec says only the filename, not the path, is uploaded to > the server, and this seems to be general browser practice. But what about > the value seen by scripts in the page? IE, Mozilla, and Safari reveal the > full pathname while Opera returns only the filename. > > Mozilla has a very old privacy request that we limit the .value to just the > filename as uploaded with the form > (https://bugzilla.mozilla.org/show_bug.cgi?id=143220). We've also gotten > advocacy that we WONTFIX the bug because there are intranet apps that use > the full path value, and in fact don't upload the files themselves they > just use the control as a convenient picker to get the path (they use > script to move those values into a text input control). > > Opera's approach is privacy preserving and consistent with the spec for the > uploaded value. > Opera's way is safer, but I hate it sometimes. For example, if I make the page: file://localhost/c:/Documents%20and%20Settings/user/Desktop/test.html <input type="file" oninput="alert(this.value)"> and choose the file 'f:\audio\some file.ogg', I expect the alert to show "file://localhost/f:/audio/some%20file.ogg". (There's no harm in that exact situation.) For browsers, I really expect options like: [file input script access] Reveal full path for file input = no (default) | yes with warning | yes Full path format for file input = native (default) | file URI Quote full path for file input = yes (default) | no However, the spec can't say those things I think. All it can say is that scripts should only have access to the file name (like Opera). -- Michael
Received on Wednesday, 14 November 2007 02:50:19 UTC