Let me begin by stating that what I'm covering today isn't actually new. It's stuff I've covered here before. But after a conversation with a reader via email I had to write up a quick test to confirm it myself. I don't believe this is a security issue, but I was kinda surprised and therefore I figured it was best to whip up a quick blog post.
Be sure to select a text file only, but you can also read binary data too. (The code would just need to adjust for it.) Also, I apologize for not using Vue. I feel bad. ;)
So here is where the interesting little tidbit came up. In one of my earlier demos, I showed selecting images and getting previews. It also supported multiple selections. So you could pick one image. Then pick another. And so on.
What that demo showed, and what didn't really click with me, is that once a user selects a file, you have read access to it, even after they select another file. As I said, I can see why that works, and it isn't a security issue per se. I mean, the user did select the file. But it kinda surprised me that after I cleared my selection, I could still read it. This CodePen demonstrates this, a bit poorly (I'll explain why in a second):
This demo lets you pick a file, then some more, then more (etc.), and finally upload them all to Postman. Postman doesn't seem to handle the result very well, but from what I can see in DevTools, all files are definitely being uploaded.
I guess that's all I have to say about it. Is anyone else surprised or is it just me?
Header photo by Kiwihug on Unsplash