[EMAIL PROTECTED] schrieb:
In https://bugzilla.mozilla.org/show_bug.cgi?id=258875 I propose making the text control in a file input be readonly. This will prevent various kinds of spoofing attacks, but it may affect usability. Any objections/counterproposals?
Actually, I also like being able to do what heikki wrote in a different reply... I guess the security concern is automatically entering a file name in the box with a script - what about inventing something that manual editing by the user is possible but automated changes via a script aren't, if that's possible at all? Requiring something with chrome privs (file dialog, eventually routing keyboard input and mouse/keyboard pasting through soemthing setting those) to change the content of the field?
It's sometimes quite practical to copy the path from somewhere (other app or other file control) and just paste it into the file control, eventually changing a letter or number there manually afterwards... If we just can make sure the user did the action himself and not had some page-bound script doing it, then we should be fine, I think...
Robert Kaiser _______________________________________________ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security