[Webkit-unassigned] [Bug 47593] Require a user gesture to open the file dialog

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Feb 22 23:28:57 PST 2011 

https://bugs.webkit.org/show_bug.cgi?id=47593





--- Comment #15 from Andy Estes <aestes at apple.com>  2011-02-22 23:28:57 PST ---
Hi Johnny,

(In reply to comment #14)
> (In reply to comment #13) 
> After reading mozilla bug https://bugzilla.mozilla.org/show_bug.cgi?id=61098, I think it is to deal with how to avoid creating endless model dialog like alert, like you said it applies to file chooser dialogs as well in Firefox, but this webkit change is to disallow javascript to open the file dialog without user gesture.

Sorry, I linked to the wrong bug. The bug I meant to link to was <https://bugzilla.mozilla.org/show_bug.cgi?id=36619>, which tracks adding a click() method to file input elements. <https://bugzilla.mozilla.org/show_bug.cgi?id=61098> is also relevant here, but wasn't what I was basing my analysis on.

Firefox 4 integrates their implementation with their pop-up blocker, which (if enabled) allows programatic clicks to open a file picker after user confirmation. We don't, so such attempts are blocked regardless of the state of our pop-up blocker.

Firefox 4 also allows file pickers even if the programatic click() and the user gesture are separated by a timeout. Take the following test case for example:

<script>
    window.addEventListener('load', function() {
        document.getElementById('the-link').addEventListener('click', function() {
             setTimeout(function() {
                 document.getElementById('the-file-input').click();
             },1000);
        }, false);
    }, false);
</script>
<input id="the-file-input" type="file">
<a id='the-link' href="#">Programatically click the input.</a>

Firefox 4 will display a file picker one second after clicking 'Programatically click the input'; we won't, again regardless of pop-up blocker state.

There are valid reasons for content authors to programmatically send click events to file input elements via setTimeout() and I think we shouldn't break those use cases.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list