[whatwg] DnD Jacking from Ian Hickson on 2009-02-19 (public-whatwg-archive@w3.org from February 2009)

From: Ian Hickson <ian@hixie.ch>
Date: Thu, 19 Feb 2009 01:43:00 +0000 (UTC)
Message-ID: <Pine.LNX.4.62.0902190142280.6209@hixie.dreamhostps.com>

On Mon, 26 Jan 2009, Biju Gm at il wrote:
>
> At http://bijumaillist.googlepages.com/2in1.html
> i have iframed http://bijumaillist.googlepages.com/dnd.html
> and http://www.whatwg.org/demos/2008-sept/dnd/dnd.html
> 
> Now I can drag items between iframes.
> This is good when we do mashups.
> 
> But I wonder whether this will create a similar vulnerability like
> Click Jacking.
> - ie, A cross site DnD Jacking
> 
> So how can I...
> 1. say to where all (domain) things can be dragged?
> 2. find from which domain things are dropped.
> 3. find the handle of source window at destination and vice versa.
> 4. while we in ondragenter/ondragover phase find what will be dropped later.

The solutions to click-jacking that have been proposed (see my recent 
reply to that thread) should take care of these too. I'll make sure to 
keep this in mind, though.

Cheers,
-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Wednesday, 18 February 2009 17:43:00 UTC