John J. Barton wrote:
I'd avoid 'paste' at this point since there are security concerns.
I.e. if you can get the user to copy the string '/etc/passwd' and then
paste it to the right place.
Is this different from a web page that instructs them to type
'/etc/passwd' in to the control? The "if you can get the user" part is
exactly what makes this not a security hole.
Yes, this is somewhat different. It's a lot easier to see that you're
typing in a file input (if we do this right; e.g. if the only way to do
that is via a filepicker) than it is to see that you're pasting into one
if we're not requiring a file picker in the process
Same thing with drag'n'drop support.
Yep, same thing. User is draggin' and droppin'
You might not realize that you're dragging a filename (e.g. if you drag
some stuff on the page that happens to serialize to a filename) or for
that matter dropping it on a file input (opacity: 0.001, say).
When do we get new reasonable features then? Dealing with files in
Firefox is significantly more painful than it should be.
When we come up with a way of doing it securely. Ideas very much welcome.
-Boris
_______________________________________________
dev-tech-layout mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-tech-layout
