- From: Michal Zalewski <lcamtuf@coredump.cx>
- Date: Sun, 19 Feb 2012 15:19:48 -0800
The security problems with drag-and-drop are significantly more pronounced than just the banking scenario you are describing. Because the drag-and-drop action is very similar to other types of legitimate interaction (e.g., the use of scrollbars), many practical content-stealing attacks have been demonstrated (e.g., theft of anti-XSRF tokens). Consequently, I believe that Chrome disallows drag-and-drop between non-same-origin frames completely, and Firefox is planning to do the same (https://bugzilla.mozilla.org/show_bug.cgi?id=605991). I strongly suspect that given the broad and serious exposure, I think this should be the default; with certain origins being able to specify that they want to allow cross-origin drag-and-drop, perhaps leveraging this API. /mz
Received on Sunday, 19 February 2012 15:19:48 UTC