Firefox has added a small delay to prevent this exploit.
Chrome has responded that it has yet to have been detected and weaponized yet.
Imagine a small game where you must press the [Enter] key rapidly.
Would you, with a few similar boxes in game to detract, notice the Open_Folder_DialogBox for a few frames? Probably not in time to not hit the [Enter] key, giving the webpage's javascript full permissions to everything in the default, selected Folder...which is the C: drive.
> Firefox has added a small delay to prevent this exploit.
This can be a mild irritation in FF. In other contexts it could be very irritating. The problem with blocking user action for the user's safety is that most users don't appreciate it until they do something wrong (by which point I've found the option to turn the protection off!)
A trivial band-aid, such as only delaying the input if the user has repeatedly pressed the [Enter] button in the last 3 seconds, could thwart naive attempts.
A clever bypass would be to have the [Enter] button be pressed when reacting to something on screen, such as an incoming guitar strum or a dinosaur hopping over a cactus, then throw the OpenFileDialog before the goal/expected [Enter] keypress.
Actually there were scam games like that back in the era of Symbian Java Apps. You click-click-click and then a window asking you to send an expensive sms pops up.
Chrome has responded that it has yet to have been detected and weaponized yet.
Imagine a small game where you must press the [Enter] key rapidly.
Would you, with a few similar boxes in game to detract, notice the Open_Folder_DialogBox for a few frames? Probably not in time to not hit the [Enter] key, giving the webpage's javascript full permissions to everything in the default, selected Folder...which is the C: drive.