[whatwg] DnD Jacking

Ian Hickson ian at hixie.ch
Wed Feb 18 17:43:00 PST 2009

On Mon, 26 Jan 2009, Biju Gm at il wrote:
> At http://bijumaillist.googlepages.com/2in1.html
> i have iframed http://bijumaillist.googlepages.com/dnd.html
> and http://www.whatwg.org/demos/2008-sept/dnd/dnd.html
> Now I can drag items between iframes.
> This is good when we do mashups.
> But I wonder whether this will create a similar vulnerability like
> Click Jacking.
> - ie, A cross site DnD Jacking
> So how can I...
> 1. say to where all (domain) things can be dragged?
> 2. find from which domain things are dropped.
> 3. find the handle of source window at destination and vice versa.
> 4. while we in ondragenter/ondragover phase find what will be dropped later.

The solutions to click-jacking that have been proposed (see my recent 
reply to that thread) should take care of these too. I'll make sure to 
keep this in mind, though.

Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

More information about the whatwg mailing list