On Fri, Mar 21, 2008 at 1:58 AM, ddailey <[EMAIL PROTECTED]> wrote: > In the code which follows, both IE7, FF(2.0), and Safari(3.1) allow the user > to change the src attribute of an image based on her perusal of local file > space. Opera 9.5 doesn't seem to allow access to the path data necessary for > accomplishing this rollover effect, and I suspect that may be how it is > supposed to be according to emerging standards. That is the situation when > the HTML file is stored on localhost.
The web changed, today firefox only provides the leafname, not the full path (this is a good thing for security/privacy reasons), and we don't allow remote access to local content (this is a good thing). Security Error: Content at http://granite.sru.edu/~ddailey/imageUpload.htm may not load or link to file://localhost/78255.png. > If however, one places the code on a server (see > http://granite.sru.edu/~ddailey/imageUpload.htm) then the program works from > none of the browsers. apologies in advance if I made a mistake :( > > While I understand the possible risk of exposing a path name of the local > file system to script, the various use cases of allowing users to access > local images within HTML, the <canvas> tag and within <svg> all seem > self-evident to me. Is there some standard workaround to allow the user to > change the source of an image on a web page to one that is locally stored? Security Error: Content at http://www.w3.org/TR/html4/interact/forms.html may not load or link to file:///c:/newfeatures.png. Error: uncaught exception: Load of file:///c:/newfeatures.png denied. data:text/html,<img src="file:///c:/newfeatures.png"> in the modern world, you shouldn't be able to embed local images from remote content. if a user wants to see a preview an image they can use their os, file picker, favorite image viewer, etc. you can silently auto submit the image and send them back a version. > I > used to have a dozen mini-apps that took advantage of the ability to do this > (they even used to work in Netscape 4 and IE 4), but the programs have all > broken in the past few years in all contexts except IE -- (for example here > http://granite.sru.edu/~ddailey/svg/clipembed.html where the input type=file > script is remarkably simple). > > What seems odd to me is that the browsers (except Opera) all seem to expose > the path data to script, despite blocking the easy use of that data. Maybe > I'm missing something obvious. modern browsers will not expose path, only leaf. > Apologies, also, if this issue has already been discussed -- my memory seems > never to have been what it should have been.