If you are trying to retrieve the ‘value’ of a file input box via Javascript, and you are receiving C:fakepath within the returned value, it is time to blame Internet Explorer 8.

The inclusion of C:\fakepath\ is a security feature of Internet Explorer 8, designed to prevent information regarding the file system structure being exposed when files are selected via a file input box. Current versions of most other web browsers, such as Mozilla Firefox and Google Chrome, will return the file name without any path (relative or absolute).

The HTML5 specification states that the browser’s implementation of a file upload control should not reveal the true path to the file via its ‘value’ attribute. Internet Explorer, as always, does this differently than other browsers by including ‘fakepath’ rather than just removed the local path in its entirety.

This behaviour of Internet Explorer 8 can be overridden by added the size to the list of trusted sites within Internet Explorer 8 Internet options window. I’d personally only recommend this if the system is an secure internal and/or Intranet web-based system which requires the use of the full path.

Ideally, existing systems should be recoded to either not use the full path or to retrieve the full path via another method, such as manual input into a text input field.

I hope this post helps web developers who have unexpectedly come across this strange ‘fakepath’ and been unaware of where it was coming from.