- From: Ian Hickson <ian@hixie.ch>
- Date: Mon, 29 Apr 2013 20:41:51 +0000 (UTC)
- To: JC <mg05182-wwg@yahoo.ca>
- Cc: "whatwg@whatwg.org" <whatwg@whatwg.org>
- Message-ID: <Pine.LNX.4.64.1304292015250.3512@ps20323.dreamhostps.com>
On Mon, 29 Apr 2013, JC wrote: > > So far the only way to ask a user to select a file (e.g. to upload an > attachment in a mail client) without showing the ugly "file input" UI is > to create one of these elements, hide it somehow, and invoke the "click" > method on it and listen for the "changed" event. You can also just accept a drag-and-dropped file. Having the <input type=file> UI hidden is probably not supposed to be possible (though it's hard for us to stop it), because it means you can trick people into clicking the button and bringing up the dialog, which can, if you know what browser/OS they're using, let you in some cases trick them into uploading a particular file. (It's gotten harder with browsers going away from allowing arbitrary text input into that control, though, so this might no longer be that big a deal.) > The minimum requirements would be to be able to provide a string for the > dialog title, a string for the accepted mime types and a boolean to > specify whether multiple files can be selected at once, the return value > would be a FileList object [1]. This is essentially the same > functionality offered by the existing file input element [2] with the > only addition of a title for the dialog. We could maybe do this if browser vendors are comfortable with it... it's definitely something we want to be really careful about, though. For example, we don't want to set up a situation where a site can trigger a download of a sensitive file (e.g. bank account details) and then trick the user into uploading it by asking the user to "Select the file you want to protect from uploading" or "For debugging purposes, select the newest file in this directory, which is a log file we just generated". -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Monday, 29 April 2013 20:42:22 UTC