Replace the textbox in the file upload control with a text label

RESOLVED WONTFIX

Status

()

defect
RESOLVED WONTFIX
14 years ago
12 years ago

People

(Reporter: jruderman, Assigned: roc)

Tracking

Trunk
mozilla1.8.1beta2
Points:
---
Dependency tree / graph
Bug Flags:
blocking1.8.1 -

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [p-safari])

Attachments

(2 attachments)

Reporter

Description

14 years ago
Now that bug 258875 is fixed, the textbox in the file upload control should be removed because:

(1) It's confusing UI.

(2) It might increase the attack surface for the file upload control. Several attacks against the file upload control have worked by getting a reference to the file upload control's textbox and modifying its value directly.  See bug 29517, bug 163598, bug 164023, and bug 164086.  We're still finding ways for scripts to reference the textbox (e.g. bug 313664) but that might not be a problem anymore because bug 164086 introduced a general fix.

It should be replaced by an filename label, like in Safari.  For safety, uploading should not look at the current value of the label, but at the value (or a new member variable) of the upload control.

For bonus points, show an icon representing the file.  For more bonus points, show a thumbnail if the file being uploaded is an image.
Reporter

Comment 1

14 years ago
Reporter

Comment 2

14 years ago
Reporter

Updated

14 years ago
No longer blocks: 258875
Nominating for aviary2; I think this is definitely worth considering as a front-end change for FFx2. Not sure about how it will affect layouts, though - we might want to continue to render the file input text area, but as a disabled/non-edit field ...
Flags: blocking-aviary2?

Comment 4

14 years ago
there's a bug somewhere about letting you specify the filename to send to the server and the contenttype of the file. and if there isn't such a bug, i'd still like that to be kept in mind :).

but yes, we have to do at least what comment 0 says (if only for reason 1).
We can already do the file icon by using moz-icon on Windows/Mac, but I think this is an important 1.8.1 fix if we're taking the disabled textbox change.
Flags: blocking-aviary2? → blocking1.8.1+
Hang on now ... bug 258875 is open again. Adding dependency.
Depends on: 258875

Comment 7

13 years ago
-> roc

It looks like this isn't going to make FF2b1, but we'd really like to see it happen for FF2b2.  (Marking blocking1.8.1- since it isn't going to make beta1.)
Assignee: nobody → roc
Flags: blocking1.8.1+ → blocking1.8.1-
Whiteboard: [ff2b2]

Updated

13 years ago
Flags: blocking1.8.1- → blocking1.8.1+
Whiteboard: [ff2b2]
Target Milestone: --- → mozilla1.8.1beta2
A text label is the wrong way to go here. We want it to look like an input field, we just want that input field to only be populated by a file choosing dialog. See bug 258875 comment 80 for further thoughts about how to make this workable.
Status: NEW → RESOLVED
Last Resolved: 13 years ago
Flags: blocking1.8.1+ → blocking1.8.1-
Resolution: --- → WONTFIX
Reporter

Updated

12 years ago
Whiteboard: [p-safari]
You need to log in before you can comment on or make changes to this bug.