I am working on a small photo application in which the user selects a local file and it is placed on the canvas using window.URL.createObjectURL(file) - really the main material. During testing, I briefly dumped the contents of the file array onto the console - just to make sure that I get what I want.
I am using Firefox 31.0 (not Iceweasel) and Chrome 34.0.1847.116 (not Chromium) on Debian 7
I call the array as follows:
var file = evnt.target.files[0]; if (file) { console.log('file');
The .log console looks like this in a Google Chrome browser:
File { name: "image.png" size: 55464 type: "image/png" webkitRelativePath: "" }
And as in the Mozilla Firefox browser:
File { size: 55464, type: "image/png", name: "image.png", path: "", lastModifiedDate: Date 2014-09-09T13:30:30.000Z, mozFullPath: "/home/server/Desktop/image.png" }
I can request:
console.log(evnt.target.files[0]['type')
and correctly get "image/png" as the answer, however, when I ask:
console.log(evnt.target.files[0]['mozFullPath']);
I just get the answer: ""
Why does this information flow through the evnt.target.files[0] array, but is invisible when I call it directly?
Is this information about the structure of my file system only displayed by my privileged console, or can it be passed through man-in-the-middle attacks in my browser?
EDIT
In older Firefox browsers, this would improve permissions:
netscape.security.PrivilegeManager.enablePrivilege("UniversalBrowserRead");
But this is no more. Anyway, this is a problem when using Firefox on public Linux terminals / other people's computers, because it is leaking file system data, such as the directory structure and system username. Together with other feats, this seems to me a dangerous threat ... Or am I just overreacting?