The HTML 4.01 specification describes the value attribute for a file input field by saying that browsers (user agents) "may use the value of the value attribute as the initial file name". This however is usually not supported by browsers. The usual explanation is "security reasons". And indeed it would be a security risk if files from the user‘s disk were submitted without the user‘s content. It might be all too easy to lure some users into submitting some password files! But in fact RFC 1867 duly notifies this problem; in section 8 Security Considerations it says:

It is important that a user agent not send any file that the user has not explicitly asked to be sent. Thus, HTML interpreting agents are expected to confirm any default file names that might be suggested with <INPUT TYPE=file VALUE="yyyy">.

It also mentions (in section 3.4) that the use of value "is probably platform dependent" but then goes on: "It might be useful, however, in sequences of more than one transaction, e.g., to avoid having the user prompted for the same file name over and over again." This isn‘t particularly logical, since how would the name be passed from one submission to another? (The mechanism for getting the original file name would be quite unreliable for such purposes.) A more useful application could be this: Assume that your form is for reporting a problem with a particular program, say Emacs, and that program uses a configuration file with some specific name, say .emacs, so that you would very much like to get the user‘s config file for problem analysis. Setting the default name, if supported by the browser, might be an extra convenience to the user.

Thus, they just failed to implement it, for no good reason. This isn‘t a very important flaw, however. The situations where it would make sense to suggest a default file name are rare.

Netscape‘s old HTML Tag Reference says, in the description of input type="file", that "VALUE=filename specifies the initial value of the input element", but no actual support to this in Netscape browsers has been reported. Similar considerations apply to the corresponding item in Microsoft‘s HTML Elements reference. It additionally messes things up by describing the intended meaning wrong: "Sets or retrieves the value of the <INPUT type=file>". The description links to a description of the value attribute which says: "The value, a file name, typed by the user into the control. Unlike other controls, this value is read-only." This probably relates to using the value property in client-side scripting. And in fact, one can read the value in JavaScript (and get the filename entered by the user) but setting it is unsuccessful (without an error message); the same applies to Netscape (but on Opera, even an attempt to read the value seems to confuse the browser). Note that the examples in the above-mentioned documentation do not contain an input type="file" element with a value attribute.

However, support to file input in several versions of Opera handles the value attribute in the following way:

• the value is displayed in the box for file name input
• that value can be edited by the user (as an alternative to using the Browse menu, which changes the content of that box)
• however if the user submits the form so that the initial value has not been changed by the user, there will be a security alert and the user is requested to confirm the submission.
• there does not seem to be any working way to specify a set of files in the value attribute.

Such support, however, is absent in Opera 7.54, for some reason.

The following form contains a file input field with value="C:\.emacs". Your browser probably just ignores that attribute, but some browsers may use it to set the initial file name:

An example of Opera‘s security alert in the situation discussed above:

There was a short-time bug in Opera 6 that created a security hole, which would have let authors grab users‘ files without their knowing, i.e. bypassing the dialogue described above.