- From: Ryosuke Niwa <rniwa@webkit.org>
- Date: Sun, 19 Feb 2012 16:01:48 -0800
This proposal sounds reasonable. On Fri, Feb 17, 2012 at 1:35 AM, Anne van Kesteren <annevk at opera.com> wrote: > > Names are chosen to be compatible with those used by HTML5 Web Messaging. > > dataTransfer.origin > Returns a DOMString consisting of the protocol, domain and optional port, > of > the origin where the drag started: > http://evilsite.com > http://evilsite.com:8080 > > If the drag was not started on an origin (such as a dragged file from the > desktop), or on a URL that is not a scheme/host/port tuple, the value > should > be the string value "null". This conforms with HTML5 subsection "Unicode > serialization of an origin" - > http://dev.w3.org/html5/spec/**origin-0.html#unicode-** > serialization-of-an-origin<http://dev.w3.org/html5/spec/origin-0.html#unicode-serialization-of-an-origin> > Attempts to write to dataTransfer.origin will be ignored but not throw an > error, in accordance with WebIDL. > > dataTransfer.**allowTargetOrigin(**targetOrigin) > Defines an origin match for sites which may receive the dropped data. If > this > method is not called, then all sites and applications may be considered > dropzones. > As Michal mentioned, can we make the default action not to make cross-origin pages dropzones? Or at least let implementors choose? Alternatively, you can make this property an array (e.g. allowedTargetOrigins) and UA can fill in the default. e.g. allowedTargetOrigins will be ["*"] on UAs that allows cross-origin by default but will be ["http://banksite.com/"] on UAs that doesn't allow it by default. - Ryosuke
Received on Sunday, 19 February 2012 16:01:48 UTC