[whatwg] DnD Jacking
ian at hixie.ch
Wed Feb 18 17:43:00 PST 2009
On Mon, 26 Jan 2009, Biju Gm at il wrote:
> At http://bijumaillist.googlepages.com/2in1.html
> i have iframed http://bijumaillist.googlepages.com/dnd.html
> and http://www.whatwg.org/demos/2008-sept/dnd/dnd.html
> Now I can drag items between iframes.
> This is good when we do mashups.
> But I wonder whether this will create a similar vulnerability like
> Click Jacking.
> - ie, A cross site DnD Jacking
> So how can I...
> 1. say to where all (domain) things can be dragged?
> 2. find from which domain things are dropped.
> 3. find the handle of source window at destination and vice versa.
> 4. while we in ondragenter/ondragover phase find what will be dropped later.
The solutions to click-jacking that have been proposed (see my recent
reply to that thread) should take care of these too. I'll make sure to
keep this in mind, though.
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
More information about the whatwg