A while back I asked Jesse Ruderman to do a security review of the
FileUpload API. His response is below. I apologise for the tardiness of my
sending these comments (he wrote them months ago, though they still apply,
as the draft has not changed).
FileDialog: open() says "When called, this method MUST prompt the user
with a means to select one or more files." This seems to exclude the
possibility of restricting the call to times when pop-up windows are
allowed. (And I think restricting it in that way would be a good
idea, if only to prevent web pages from badgering you with file
pickers and holding your browser hostage until you give in and select
the file they want.)
I'm worried about the asynchronous nature of open(). Does that mean
scripts can continue running in the background, doing things like
calling alert() or calling open() again? Having an asynchronous API
for a dialog seems strange to me.
I'm surprised that the open() method doesn't let you specify what
content-type you want (e.g. images, sound files, mp3 files, etc). I'm
also surprised it doesn't let you specify whether you want a single
file or multiple files, always assuming you want multiple files.
Requiring users to call addEventListenerNS with a long, opaque
namespace string isn't very nice.
The only things you can do with a file object are "getDataAsString",
etc. For large files it is better to be able to iterate through lines
or characters in the file, and even better to be able to seek.
getDataAsString does not let you specify an encoding. It also does
not specify what should happen if you ask for UTF-8 and the file is
invalid UTF-8 (some programs substitute question marks in diamonds,
some programs warn).
Why is all this stuff separate from the file upload form control?
There will always be apps where you want to upload a file to a server,
and many of them would love to be able to show a preview of what
you're about to upload, do some quick client-side validation, etc.
The "Integration with XMLHttpRequest" section is empty.
fileName: "The name of the file, exclusive of its path." Good.