Here’s an idea to avoid leaking path and file names:
var file = window.promptSelectFile(..., access:read)
document.getElementById('filename').style.secureRender = file.token
Editing: <span id='filename' style='path-format:title'>
file object supports everything you’d expect (read, write, etc), but doesn’t reveal local paths to the website. Instead it provides an obfuscated token derived by the user agent (e.g. perhaps by encrypting the original full pathname with a site-specific key, or associating each file with a persisted ID).
secure-render attribute lets the designer create placeholders for the sensitive data anywhere in the HTML content. The browser converts the given token to its corresponding value when the page is rendered, but in such a way that if the site tries to inspect the content all it gets back is the obfuscated tag.
Mechanisms are provided to control how the value is formatted and localize it into the semantics of the native OS.
path-format could be:
full // C:\Users\Alice\Documents\Patients\JohnSmith\XRay.png
directory // C:\Users\Alice\Documents\Patients\JohnSmith
name // XRay.png
title // XRay
extension // png
I can now build a full-fledged, browser-based file manager without needing to know any pathnames.
Do browsers today have any sort of “placeholder” mechanism like this for websites to display sensitive local data without having to know its content? Can you think of additional use cases where this might be helpful?