W3C home > Mailing lists > Public > whatwg@whatwg.org > February 2012

[whatwg] DND: proposal to expose origin

From: Michal Zalewski <lcamtuf@coredump.cx>
Date: Sun, 19 Feb 2012 15:19:48 -0800
Message-ID: <CALx_OUC9LkBhzJ5RdSf0GENono+gaAoSLcF5th=hCg8FgF+DiA@mail.gmail.com>
The security problems with drag-and-drop are significantly more
pronounced than just the banking scenario you are describing. Because
the drag-and-drop action is very similar to other types of legitimate
interaction (e.g., the use of scrollbars), many practical
content-stealing attacks have been demonstrated (e.g., theft of
anti-XSRF tokens).

Consequently, I believe that Chrome disallows drag-and-drop between
non-same-origin frames completely, and Firefox is planning to do the
same (https://bugzilla.mozilla.org/show_bug.cgi?id=605991).

I strongly suspect that given the broad and serious exposure, I think
this should be the default; with certain origins being able to specify
that they want to allow cross-origin drag-and-drop, perhaps leveraging
this API.

/mz
Received on Sunday, 19 February 2012 15:19:48 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:40 UTC