Browser security

I never quite understood what prevents a website from downloading files from a personal computer.

What is the actual mechanism?

I know that a user must explicitly allow a file upload through a dialogue box, but couldn't it be spoofed?

I do not know the exact answer to your question, but I think it is a good question.

I think if a website uses ActiveX or Java, they can practically do anything. Take Windows Update for instance; it reads and writes lots of things on your PC - checking your current installed updates, downloading & installing new ones, and writing a big logfile while doing all this.

All websites that allow you to perform online malware scans on your computer also read hundreds or thousands of files on your computer. What would prevent them from uploading confidential material from your system?

Most browsers will warn you that a Java applet or ActiveX is being installed, and prompt you to allow/disallow it. But once you've allowed it, there is nothing you can do to prevent the app from running, and doing whatever it wants to do.

Someone with a better understanding of the inner workings of Java or ActiveX can probably shed more light on this issue.