[Webkit-unassigned] [Bug 47593] New: Require a user gesture to open the file dialog

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Wed Oct 13 07:22:08 PDT 2010 

https://bugs.webkit.org/show_bug.cgi?id=47593

           Summary: Require a user gesture to open the file dialog
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: PC
        OS/Version: Mac OS X 10.5
            Status: UNCONFIRMED
          Severity: Normal
          Priority: P2
         Component: HTML DOM
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: jnd at chromium.org
                CC: abarth at webkit.org, jschuh at chromium.org,
                    inferno at chromium.org


<Input type=file> is represented as a file upload control in WebKit, it is a sensitive control since it can access users' local file(s). 
So ideally browser should only allow doing the file choosing behavior via user gesture, but so far only Firefox does.(Please refer to http://mxr.mozilla.org/mozilla/source/content/html/content/src/nsHTMLInputElement.cpp#1413)
A chromium bug(http://crbug.com/58319) is related to this bug.

For example, when running the following code, there is no file select dialog only in Firefox, other main-stream browsers show the file dialog.
<input type="file" id="f">
<script>setTimeout("document.getElementById('f').click();", 1);</script>

I suggest requiring a user gesture to open the file dialog in WebKit like Firefox does

To do this, there are two ways.
1) Only direct user gesture event can open the file dialog. The direct user gesture event(key/mouse) means the event must dispatch on the <input type=file>, which can ensure the file dialog is opened by users' true intention.
2) The file dialog can be opened as long as a user gesture happens at that time, which means you can open the file dialog in user gesture event dispatched on other elements, which may be more convenient

For example. when running the following code in WebKit, 
<input type="file" id="f">
<a onclick="document.getElementById('f').click();">click me</a>

In way 1, clicking the text "click me" will not open the file dialog, but the file dialog does open in way 2.

I personally prefer the way 1, since it's more safe.

Any suggestions?

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list