On Tue, 13 Feb 2007, Andreas Beck wrote: > Let scripts and form parser handle upload fields just as usual form > fields. Prefilling them with VALUE, changing them from script, etc. pp. > > BUT: Warn the user about uploading files. The problem here is that a majority of users find browser warnings impossible to understand, far too frequent, perceive them as roadblocks (see dancing hamsters, or "reject an invalid certificate"?), and above all, are not sure who is to be trusted (the author of the webpage, who tells us to click "yes", or the author of a browser, who is a whiny geek?). Otherwise, we wouldn't have *millions* of users running attached EXE files or clicking to install ActiveX controls despite big, honking, sometimes repeated warnings that say "YOUR COMPUTER WILL BE OWNED" and default to "cancel". Adding warnings that pop up during normal activity (such as uploading your new baby photos) further blurs the line and conditions users into clicking "yes" on all such notices. So, although it's a good solution from a technical standpoint, I do not think it's optimal as far as users are concerned - whenever we can avoid giving a non-expert user a choice without impacting functionality, we should go for it. In this particular case, preventing scripts from reading .value of such input fields, moving focus to or away from these fields, and in any way influencing the delivery of keystroke events while this field is in focus, seems to be a good solution that wouldn't significantly interfere with legitimate web functionality. /mz
