Hi Ian,
On Sep 22, 2006, at 17:15, Ian Hickson wrote:
It seems like it would make it possible, through an attack like the
famous
fast clicking game, to cause a user to select a file (probably at
random,
but from the user's home directory, so likely a confidential file).
There are well-known workarounds for this, notably delayed activation
of the dialogue. This could be noted in the specification.
I would feel much more comfortable if the FileList API was provided
merely
as an extension to the HTMLInputElement interface, thus requiring
authors
to use an <input type=file> control, and requiring users to click the
Browse button before the dialog would appear.
The problem with this solution is that it then requires that the
environment supports <input type=file>, which isn't always the case.
--
Robin Berjon
Senior Research Scientist
Expway, http://expway.com/
