W3C home > Mailing lists > Public > whatwg@whatwg.org > April 2013

Re: [whatwg] Proposal: API to ask the user for a file

From: Jonas Sicking <jonas@sicking.cc>
Date: Mon, 29 Apr 2013 15:33:08 -0700
Message-ID: <CA+c2ei9R7aT=4c4i3eiQByDgYART2HUP54QW_xE4ezHr9t+i7w@mail.gmail.com>
To: Ian Hickson <ian@hixie.ch>
Cc: JC <mg05182-wwg@yahoo.ca>, "whatwg@whatwg.org" <whatwg@whatwg.org>
On Mon, Apr 29, 2013 at 1:41 PM, Ian Hickson <ian@hixie.ch> wrote:
> On Mon, 29 Apr 2013, JC wrote:
>>
>> So far the only way to ask a user to select a file (e.g. to upload an
>> attachment in a mail client) without showing the ugly "file input" UI is
>> to create one of these elements, hide it somehow, and invoke the "click"
>> method on it and listen for the "changed" event.
>
> You can also just accept a drag-and-dropped file.
>
> Having the <input type=file> UI hidden is probably not supposed to be
> possible (though it's hard for us to stop it), because it means you can
> trick people into clicking the button and bringing up the dialog, which
> can, if you know what browser/OS they're using, let you in some cases
> trick them into uploading a particular file. (It's gotten harder with
> browsers going away from allowing arbitrary text input into that
> control, though, so this might no longer be that big a deal.)

I think all modern browsers intentionally let webpages create custom
UIs for <input type=file> by completely hiding the <input> and then
rendering a custom UI using various <div> and <span> tags. When the
custom UI is clicked the page calls myInputElement.click() in order to
bring up the file picker UI.

Gecko contains some anti-annoyance protections as to prevent the page
from spawning file picker dialogs indefinitely. This is done by
hooking up <input type=file>.click() to popup blocking infrastructure.

So the API being requested here is actually available. But in a really
ugly way through the HTMLInputElement interface.

But I don't really buy the argument that we should supply a new one
because the existing API isn't "reliably available". If the current
API is problematic because there is no way to check if it works, then
I'd prefer to add a way to check if it works, rather than adding a
whole new API.

/ Jonas
Received on Monday, 29 April 2013 22:34:06 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:57 UTC