[whatwg] Drag and Drop Security Model and current implementations

Oliver Hunt oliver at apple.com
Mon Aug 24 22:29:37 PDT 2009


> I've made the "types" list visible during all the events, but I'm
> skeptical about making everything available. We'll probably revisit  
> this
> in a few years when we have a test suite for this. (I probably need to
> rewrite the way this section is written before making any more  
> significant
> changes.)
I agree as I'm unsure what else *could* be safely exposed before the  
drop event -- realistically anything beyond the types seems risky:  
ignoring the obvious risks of exposing actual content, exposing any  
form of URI may lead to unintended information leaking (you have to  
assume that people are dragging random private files, urls, etc across  
windows and do not intend to drop them)

--Oliver



More information about the whatwg mailing list