11. Security Considerations

This section is informative.

This specification allows web content to read files from the underlying file system, as well as provides a means for files to be accessed by unique identifiers, and as such is subject to some security considerations. This specification also assumes that the primary user interaction is with the  element of HTML forms [], and that all files that are being read by  objects have first been selected by the user. Important security considerations include preventing malicious file selection attacks (selection looping), preventing access to system-sensitive files, and guarding against modifications of files on disk after a selection has taken place.

• Preventing selection looping. During file selection, a user may be bombarded with the file picker associated with  (in a "must choose" loop that forces selection before the file picker is dismissed) and a user agent may prevent file access to any selections by making the  object returned be of size 0.

• System-sensitive files (e.g. files in /usr/bin, password files, other native operating system executables) typically should not be exposed to web content, and should not be accessed via . User agents MAY raise a  if such files are accessed or a  is called on them.

• Post-selection file modifications occur when a file changes on disk after it has been selected. In such cases, if a  is called on a file, user agents MAY raise a .