[whatwg] Drag and Drop Security Model and current implementations

Aron Spohr aron at aspohr.de
Tue Aug 25 04:20:39 PDT 2009

Hi Oliver,

> I agree as I'm unsure what else *could* be safely exposed
> before the drop event -- realistically anything beyond the
> types seems risky: ignoring the obvious risks of exposing
> actual content, exposing any form of URI may lead to
> unintended information leaking (you have to assume that
> people are dragging random private files, urls, etc across
> windows and do not intend to drop them)

I generally agree. However in this particular case (which is currently implemented in the latest versions of Firefox and Google) full access is only granted if the original and the target page are the same. For instance: If you drag something from http://www.mywebapp.com/ to another window serving http://www.mywebapp.com/. Only in this particular case the target application or page has access to all the data during a dragover event (and other events). I believe that makes sense as it is literally the same application which created and stored the data to the dataTransfer object in the first place. It's just using multiple browser-windows. As you can see this wouldn't work if people drag private files, urls from other sources across..



More information about the whatwg mailing list