[whatwg] DND: proposal to expose origin

Michal Zalewski lcamtuf at coredump.cx
Sun Feb 19 15:19:48 PST 2012


The security problems with drag-and-drop are significantly more
pronounced than just the banking scenario you are describing. Because
the drag-and-drop action is very similar to other types of legitimate
interaction (e.g., the use of scrollbars), many practical
content-stealing attacks have been demonstrated (e.g., theft of
anti-XSRF tokens).

Consequently, I believe that Chrome disallows drag-and-drop between
non-same-origin frames completely, and Firefox is planning to do the
same (https://bugzilla.mozilla.org/show_bug.cgi?id=605991).

I strongly suspect that given the broad and serious exposure, I think
this should be the default; with certain origins being able to specify
that they want to allow cross-origin drag-and-drop, perhaps leveraging
this API.

/mz



More information about the whatwg mailing list