Now that bug 258875 is fixed, the textbox in the file upload control should be removed because: (1) It's confusing UI. (2) It might increase the attack surface for the file upload control. Several attacks against the file upload control have worked by getting a reference to the file upload control's textbox and modifying its value directly. See bug 29517, bug 163598, bug 164023, and bug 164086. We're still finding ways for scripts to reference the textbox (e.g. bug 313664) but that might not be a problem anymore because bug 164086 introduced a general fix. It should be replaced by an filename label, like in Safari. For safety, uploading should not look at the current value of the label, but at the value (or a new member variable) of the upload control. For bonus points, show an icon representing the file. For more bonus points, show a thumbnail if the file being uploaded is an image.

Nominating for aviary2; I think this is definitely worth considering as a front-end change for FFx2. Not sure about how it will affect layouts, though - we might want to continue to render the file input text area, but as a disabled/non-edit field ...

there's a bug somewhere about letting you specify the filename to send to the server and the contenttype of the file. and if there isn't such a bug, i'd still like that to be kept in mind :). but yes, we have to do at least what comment 0 says (if only for reason 1).

We can already do the file icon by using moz-icon on Windows/Mac, but I think this is an important 1.8.1 fix if we're taking the disabled textbox change.

Hang on now ... bug 258875 is open again. Adding dependency.

-> roc It looks like this isn't going to make FF2b1, but we'd really like to see it happen for FF2b2. (Marking blocking1.8.1- since it isn't going to make beta1.)

A text label is the wrong way to go here. We want it to look like an input field, we just want that input field to only be populated by a file choosing dialog. See bug 258875 comment 80 for further thoughts about how to make this workable.