W3C home > Mailing lists > Public > whatwg@whatwg.org > October 2010

[whatwg] Exposing filenames in DataTransfer

From: Daniel Cheng <dcheng@chromium.org>
Date: Mon, 18 Oct 2010 13:59:40 -0700
Message-ID: <AANLkTikkPm5oCqUP0+Z+bx3sRqODqn0OvL2Yq4CAZ4ei@mail.gmail.com>
I've been working on better support of arbitrary MIME types in WebKit for
some time, and I had some implementation questions. In the past, UAs seem to
have gone out of their way to make sure full filesystem paths aren't exposed
to the Javascript (e.g. in the file input control). When I did the work for
WebKit, I implemented the web dragging clipboard as a simple reflection of
the native dragging clipboard.

However, this leads to issues like file system paths being exposed through
properties like "x-special/gnome-icon-list" or even "text/plain". What is
the expected behavior here? Mirroring the native dragging clipboard allows
for a much richer interaction with the system, but I'm not sure if we need
to go out of our way to try to scrub all paths from the drag. After all, if
you're dropping the file on the page, you're already exposing the contents
of the file, which are probably much more interesting than just the path.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20101018/903098e0/attachment.htm>
Received on Monday, 18 October 2010 13:59:40 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:27 UTC