- From: James May <whatwg@fowlsmurf.net>
- Date: Tue, 3 Aug 2010 16:18:15 +1000
>> Why wouldn't<input type=file> ?be usable for this? You should be able to >> drag any file to that, just like you can type in a URL in Windows in an >> open file dialog box. >> > > <input type="file"> would be usable. > > Were this implemented: > > When a user through selection, click+drag or manual entry of a URL > should the browser still submit an Origin request header? It seems that CORS > doesn't come > into effect here -- but at the same time, it'd be handy for logging purposes > and added security. > > When a cross-site resource is fetched via CORS, the agent submits an > "Origin" header. > A secure site (such as a bank), may always return a Forbidden response if > the "Origin" header is set; > blocking any kind of cross-site sharing, even sharing attempted by a user > (through an <input type="file"> field). > On Windows at least, when put a URL in the open dialog the shell downloads it then passes a temporary file. The browser never gets the source URL - so it'd be difficult without re-implementing the dialog (undesirable). Plus user control, and all that. -- James
Received on Monday, 2 August 2010 23:18:15 UTC