How does Facebook get the full path of my local file?

Question

If you click on the Post on the top right, then drop an image onto the box, Facebook will fail to recognize it as an image and tries to read it as a link. This is not the main point though.

The weird part is that it knows what the fullpath is.

enter image description here

This shouldn't be happening since Chrome is sandboxed, and every path, in theory, should be changed to "fakepath" for security reasons.

Somehow Facebook managed to do that. But the question is, how?

score 4 · Accepted Answer · answered Jan 19 '14 at 00:23

4

Windows XP sends the whole path with the content type text/uri-list.

Here's a snippet that reproduces this fact:

<textarea ondrop="console.log(event.dataTransfer.getData('text/uri-list')); event.preventDefault();">
</textarea>

answered Jan 19 '14 at 00:23

copy

3,084
1
27
33

It returns `about:blank` on Windows 8... Weird. – Derek 朕會功夫 Jan 19 '14 at 03:00
@Derek朕會功夫 I cannot test Windows 8. Have a look at `event.dataTransfer.types` – copy Jan 19 '14 at 03:02
It returns an Array,`["text/uri-list", "Files"]` – Derek 朕會功夫 Jan 19 '14 at 03:04
Okay it works now when I do `e = event.dataTransfer; console.log(e.getData(e.types[0]));` I believe this is a bug or if it isn't then this really is a security hole. – Derek 朕會功夫 Jan 19 '14 at 03:10
@Derek朕會功夫 I think it's as security hole and should be reported – copy Jan 19 '14 at 03:14

How does Facebook get the full path of my local file?

1 Answers1