Re: [whatwg] Make files attribute of the input element writable from Adam Barth on 2012-05-23 (public-whatwg-archive@w3.org from May 2012)

From: Adam Barth <w3c@adambarth.com>
Date: Tue, 22 May 2012 23:57:55 -0700
To: Maciej Stachowiak <mjs@apple.com>
Cc: whatwg@whatwg.org, Nico Weber <thakis@chromium.org>
Message-ID: <CAJE5ia8kC=3bxr3u-zkxJGrqpXhDcijdJqfnhK5VEShNo6y6QQ@mail.gmail.com>

On Tue, May 22, 2012 at 9:16 PM, Maciej Stachowiak <mjs@apple.com> wrote:
> It seems like making FileList mutable would serve the same use case and would also be more flexible (as you could upload a set of files collected from possibly multiple sources). And it seems like adding is a more likely desired behavior than replacing when dragging files onto a multi-file input.
>
> I have not yet fully thought through the security implications of either case. Do you have any security analysis you could share? For instance, is there an exhaustive list of ways a Web page could obtain a FileList, and are we confident that all are safe for this use?

A FileList is just a list of File objects:

http://www.w3.org/TR/FileAPI/#dfn-filelist

Each File object represents the actual file, which means you can use
the File API to read the contents of the files on the client already.

> Also: wouldn't anyone doing fancy drag-n-drop file upload be likely to use XHR for upload rather than a form submission?

Not necessarily.  In the applications that Nico was working on, he
wanted to combine the file upload with other form elements into one
POST to the server.

Adam


> On May 22, 2012, at 10:41 AM, Nico Weber <thakis@chromium.org> wrote:
>> Hi,
>>
>> The files attribute of the input element is currently marked readonly
>> [1], to protect from `myInput.files = "/etc/passwd"; myForm.submit()`.
>> Since its type is now FileList and not string, that's no longer
>> necessary.
>>
>> Making the attribute writable would allow setting the files property
>> of an input element to dataTransfer.files from a drop handler. For
>> example, I would like to use this to create a larger drop-target for a
>> file input. Here's one request for this functionality:
>> http://stackoverflow.com/questions/8006715/drag-drop-files-into-standard-html-file-input
>>
>> Can the readonly restriction be removed from the spec?
>>
>> Nico
>>
>>
>> 1: http://www.whatwg.org/specs/web-apps/current-work/multipage/the-input-element.html#the-input-element
>

Received on Wednesday, 23 May 2012 06:59:22 UTC