[whatwg] DND: proposal to expose origin
Ryosuke Niwa
rniwa at webkit.org
Sun Feb 19 16:01:48 PST 2012
This proposal sounds reasonable.
On Fri, Feb 17, 2012 at 1:35 AM, Anne van Kesteren <annevk at opera.com> wrote:
>
> Names are chosen to be compatible with those used by HTML5 Web Messaging.
>
> dataTransfer.origin
> Returns a DOMString consisting of the protocol, domain and optional port,
> of
> the origin where the drag started:
> http://evilsite.com
> http://evilsite.com:8080
>
> If the drag was not started on an origin (such as a dragged file from the
> desktop), or on a URL that is not a scheme/host/port tuple, the value
> should
> be the string value "null". This conforms with HTML5 subsection "Unicode
> serialization of an origin" -
> http://dev.w3.org/html5/spec/**origin-0.html#unicode-**
> serialization-of-an-origin<http://dev.w3.org/html5/spec/origin-0.html#unicode-serialization-of-an-origin>
> Attempts to write to dataTransfer.origin will be ignored but not throw an
> error, in accordance with WebIDL.
>
> dataTransfer.**allowTargetOrigin(**targetOrigin)
> Defines an origin match for sites which may receive the dropped data. If
> this
> method is not called, then all sites and applications may be considered
> dropzones.
>
As Michal mentioned, can we make the default action not to make
cross-origin pages dropzones? Or at least let implementors choose?
Alternatively, you can make this property an array (e.g.
allowedTargetOrigins) and UA can fill in the default.
e.g. allowedTargetOrigins will be ["*"] on UAs that allows cross-origin by
default but will be ["http://banksite.com/"] on UAs that doesn't allow it
by default.
- Ryosuke
More information about the whatwg
mailing list