[whatwg] Review of the 3.16 section and the HTMLInputElement interface from Ian Hickson on 2008-11-06 (public-whatwg-archive@w3.org from November 2008)

From: Ian Hickson <ian@hixie.ch>
Date: Thu, 6 Nov 2008 17:50:31 +0000 (UTC)
Message-ID: <Pine.LNX.4.62.0811061722180.1041@hixie.dreamhostps.com>

On Thu, 6 Nov 2008, Eduard Pascual wrote:
> 
> I agree with Samuel in that this is an issue. In Catalunya, most often 
> Spanish software is used (both OS and browsers), because a lot of the 
> software is not easily (or at all) available in Catalan (specially 
> Microsoft software, such as Windows and IE, which ammount for a quite 
> big fraction of web surfers). Seeing Spanish stuff in pages that are 
> supposed to be in Catalan is quite annoying (especially when keeping in 
> mind some historic factors).
> 
> I can understand that there may be some security concerns with this 
> control; but I don't think changing the "Browse" caption poses any 
> threat. But if there is so much paranoia on this, browsers could be 
> allowed (or even required) to ask for confirmation when picking a file 
> if the caption has been changed (something like "Are you sure you would 
> like to submit C:\example.txt to example.com?" should be enough, and 
> users would easily see such question as coming from the UA rather than 
> from the webpage).

It has been shown that prompts are ignored by users, so that wouldn't 
really solve the problem.


On Thu, 6 Nov 2008, Samuel Santos wrote:
>
> If changing the button text can be a security issue (e.g. induce the 
> user to an action that he's not aware of), we can come up with some 
> solutions.
> 
> What about allowing the Author to change the control's locale? By doing 
> so, the UA can then render the button with the same locale as the 
> application without compromising the security.

It seems like browsers should do this already based on the lang="" 
attribute. I recommend asking browser vendors to implement this.


On Thu, 6 Nov 2008, Eduard Pascual wrote:
>
> I was going to suggest this, but I don't think it's really doable: 
> browsers would need to include all the translations of that caption in 
> all their versions. In the specific case of IE, considering that 
> Microsoft tends to license only single-language versions of its products 
> (if you want it in two languages, you need to pay twice), I'm afraid 
> this would be an issue (despite the fact that IE is actually distributed 
> for free, it would still mess with their "packaging").

It's true that this may not be something browsers want to implement.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Thursday, 6 November 2008 09:50:31 UTC