[whatwg] DND: proposal to expose origin

Ryosuke Niwa rniwa at webkit.org
Sun Feb 19 16:01:48 PST 2012


This proposal sounds reasonable.

On Fri, Feb 17, 2012 at 1:35 AM, Anne van Kesteren <annevk at opera.com> wrote:
>
> Names are chosen to be compatible with those used by HTML5 Web Messaging.
>
> dataTransfer.origin
>  Returns a DOMString consisting of the protocol, domain and optional port,
> of
>  the origin where the drag started:
>  http://evilsite.com
>  http://evilsite.com:8080
>
>  If the drag was not started on an origin (such as a dragged file from the
>  desktop), or on a URL that is not a scheme/host/port tuple, the value
> should
>  be the string value "null". This conforms with HTML5 subsection "Unicode
>  serialization of an origin" -
>  http://dev.w3.org/html5/spec/**origin-0.html#unicode-**
> serialization-of-an-origin<http://dev.w3.org/html5/spec/origin-0.html#unicode-serialization-of-an-origin>
>  Attempts to write to dataTransfer.origin will be ignored but not throw an
>  error, in accordance with WebIDL.
>
> dataTransfer.**allowTargetOrigin(**targetOrigin)
>  Defines an origin match for sites which may receive the dropped data. If
> this
>  method is not called, then all sites and applications may be considered
>  dropzones.
>

As Michal mentioned, can we make the default action not to make
cross-origin pages dropzones? Or at least let implementors choose?

Alternatively, you can make this property an array (e.g.
allowedTargetOrigins) and UA can fill in the default.
e.g. allowedTargetOrigins will be ["*"] on UAs that allows cross-origin by
default but will be ["http://banksite.com/"] on UAs that doesn't allow it
by default.

- Ryosuke



More information about the whatwg mailing list