← Back to release summary

Limit characters allowed in extensions in File System Access API file pickers

Category

File APIs

Type

No developer-visible change

Status

Enabled by default (Chrome 88)

Intent stage

Shipped

Summary

To improve security, the File System Access API's showOpenFilePicker() and showSaveFilePicker() methods will limit what characters are allowed in extensions for accepted file types. Specifically only A-Z, a-z, 0-9, + and . will be allowed, extensions can't end in .local or .lnk, and can't be more than 16 characters long.

Motivation

Especially in save dialogs there is danger in allowing arbitrary code points in file extensions/suffixes. Certain suffixes have special meaning or behavior on certain platforms. For predictibality purposes we enforce the same restrictions on all platforms.

Standards & signals

• Specification: https://github.com/WICG/file-system-access/pull/252
• Firefox: Negative — This modifies the File System Access API, for which Firefox hasn't yet expressed an official position.
• Safari: Negative
• Web developers: No signals

Explainers: https://github.com/WICG/file-system-access/pull/252

View on chromestatus.com