W3C home > Mailing lists > Public > whatwg@whatwg.org > August 2010

[whatwg] Input URL State and Files object

From: Jonas Sicking <jonas@sicking.cc>
Date: Thu, 26 Aug 2010 19:53:56 -0700
Message-ID: <AANLkTinVLGMzqky6RpuNbDJqw309-ZTSYzwkqc8ZNDyb@mail.gmail.com>
On Thu, Aug 26, 2010 at 5:24 PM, Charles Pritchard <chuck at jumis.com> wrote:
> ?On 8/25/2010 2:02 PM, Ian Hickson wrote:
>>
>> On Mon, 2 Aug 2010, Charles Pritchard wrote:
>>>>
>>>> [ UAs can use<input type=file> ?to let the user enter remote URLs ]
>>>
>>> When a user through selection, click+drag or manual entry of a URL
>>> should the browser still submit an Origin request header? It seems that
>>> CORS doesn't come into effect here -- but at the same time, it'd be
>>> handy for logging purposes and added security.
>>
>> I don't think there'd be an origin, but that's rather up to the user
>> agent. (In this case it's acting on behalf of the user, not the page, so I
>> don't think it makes sense to give the page's origin.)
>
> Sounds like an implementer would not include a Referer header, either.
>
> ...
>
> Continuing on with tweaking URLs to work with with the File API:
>
> Chrome has gone ahead with their setData proposal, enhancing the
> event.dataTransfer
> object so that users may drag a file from within the browser onto their
> desktop.
>
> The extension uses setData with a key of DownloadURL and a value including a
> mime type,
> file descriptor and URI.
>
> I'd like this interface to work within ondrop; if getData(DownloadURL) is
> set,
> then a FileList would be returned in event.dataTransfer.files, much like it
> is when
> users drag files from their desktop into the browser.
>
> This would of course require Origin checks; whereas dragging onto the
> desktop
> does not require an Origin check.

I would think that a same-origin check should always be performed. In
firefox, the save-as dialog always displays the website you are
downloading from. However with drag'n'drop no dialog will be shown and
the user will presumably think he/she is downloading from the site
where the drag started.

Or are browsers planning on displaying the save-as dialog?

/ Jonas
Received on Thursday, 26 August 2010 19:53:56 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:26 UTC