Upload Component: restricting file types

Jens · June 2, 2009, 5:08am

Hey!

I’d like to restrict what kind of files can be sent with the upload component to the server, but I haven’t found any nifty API for that purpose. As I see it right now, the only way to do it is by discarding files of wrong file types after the upload, in the uploadSucceeded -method. Is that right?

Jonatan · June 2, 2009, 6:14am

I don’t think the Upload component currently supports such a thing (correct me if I’m wrong). I did, however, stumble upon a JavaScript technique that could possibly help. Of course it requires you to extend the Upload component and implement it yourself :-/

Restricting filetype in JavaScript

Henrik · June 3, 2009, 7:38am

Adding to Jonatan’s answer, while you can do a “works usually most of the time”-hack thing, doing this reliably is non-trivial. You can’t rely on the file extension, because it’s easily changed. To be entirely fool-proof, you can’t even rely on the MIME-type said by the browser, because the browser might not identify it at all, or the browser guesses the type wrong.

Since there’s nothing (technically) wrong in giving a JPEG-file a “txt”-extension, the best bet would be to accept whatever you get, analyze the data once you have it (“is this really a JPEG-image?”), and only then reject/accept it.

Dmitri · June 3, 2009, 12:41pm

I do agree that the server-side check is better for the security/analysis reasons. The only problem might be a traffic and average waiting time in case client sending a huge picture or data and his bandwidth is small, however, this seems for me to be minor problem as Internet is quite fast and cheap almost in all areas nova-days. The real issue this may cause only if transmitting data is very heavy, say, 30-40-50 megs and larger, but for such sizes, http upload is not finest solution at all.

Sami · June 3, 2009, 2:36pm

I’m not sure if this is supported by Vaadin, but at least there is this
“accept” mechanism in the HTML upload
.

Kim · June 4, 2009, 5:14am

We actually talked about this option, but even though it exists, none of the major broswers actually support it [
1
].

Peter392 · February 13, 2016, 11:20pm

Isn’t it about time that the “accept” mechanism in the HTML upload got supported on Upload ?
It been a long time since Kim wrote above comment and all browsers now support it. It just gives the user a much better experience because the OS file browser that comes up will by default use your “accept” value as the filter, for example only showing
.xlsx
files if that’s what you want him to upload. The issue here is user experience, not validation (which obviously needs to happen on server-side).

Peter392 · February 13, 2016, 11:21pm

https://dev.vaadin.com/ticket/8857

Michael655 · September 24, 2018, 3:02pm

Vaadin Upload supports accept starting with Vaadin Framework 8.5.0