Hello nigeltao,
I'd like you to do a code review. Please execute
g4 diff -c 12174476
or point your web browser to
http://mondrian/12174476
(this changelist has been uploaded to Mondrian)
to review the following code:
Change 12174476 by n...@noel-gears on 2009/08/03 16:46:35 *pending*
Fix fake event testing: use 'application/x-gears-files' to
access the files, update the test to work with FF3.5.
PRESUBMIT=passed
R=nigeltao
[email protected]
DELTA=45 (8 added, 17 deleted, 20 changed)
OCL=12174476
Affected files ...
...
//depot/googleclient/gears/opensource/gears/test/manual/drag_and_drop_fake_event_attack.html#9
edit
45 delta lines: 8 added, 17 deleted, 20 changed
If you can't do the review, please let me know as soon as possible. During
your review, please ensure that all new code has corresponding unit tests and
that existing unit tests are updated appropriately. Visit
http://www/eng/code_review.html for more information.
This is a semiautomated message from "g4 mail". Complaints or suggestions?
Mail [email protected].
Change 12174476 by n...@noel-gears on 2009/08/03 16:46:35 *pending*
Fix fake event testing: use 'application/x-gears-files' to
access the files, update the test to work with FF3.5.
OCL=12174476
Affected files ...
...
//depot/googleclient/gears/opensource/gears/test/manual/drag_and_drop_fake_event_attack.html#9
edit
====
//depot/googleclient/gears/opensource/gears/test/manual/drag_and_drop_fake_event_attack.html#9
-
c:\Users\noel.GOOGLE\src-gears/googleclient/gears/opensource/gears/test/manual/drag_and_drop_fake_event_attack.html
====
# action=edit type=text
---
googleclient/gears/opensource/gears/test/manual/drag_and_drop_fake_event_attack.html
2009-08-03 16:42:21.000000000 +1000
+++
googleclient/gears/opensource/gears/test/manual/drag_and_drop_fake_event_attack.html
2009-08-03 16:51:56.000000000 +1000
@@ -1,15 +1,14 @@
-<html><head>
-<title>Gears Drag and Drop, getDragData(fakeEvent, 'Files')</title></head>
+<html>
+<head>
+<title>Gears Drag and Drop, getDragData(fakeEvent, 'Files')</title>
+</head>
<body>
-<ol>
-<li>Drag some files from the desktop.</li>
-<li>Drop them on this DIV.</li>
-<li>???</li>
-<li>Profit!</li>
-</ol>
-<div>Also, click on these buttons below. If you get an alert (by clicking, or
-by dragging, or whatever else) then something is wrong (i.e. Gears drag and
-drop has a potential security hole).</div>
+<div>Drag files from your desktop and drop them on this page.<br>
+Also, click on the buttons below. If you get an alert (by clicking or
+by drag dropping files on this webpage, or whatever else) then something
+is wrong (i.e. Gears drag and drop has a potential security hole).
+</div>
+
<button onclick="tryGetDragData(event)">Click Me 1</button>
<button onclick="tryDispatchEvent(invalidEvent)">Click Me 2</button>
<button onclick="tryDispatchEvent(null)">Click Me 3</button>
@@ -25,6 +24,9 @@
var isFirefox = google.gears.factory.getBuildInfo().indexOf(';firefox') > -1;
var isSafari = google.gears.factory.getBuildInfo().indexOf(';safari') > -1;
var isNpapi = google.gears.factory.getBuildInfo().indexOf(';npapi') > -1;
+var html5 = true;
+if (isFirefox)
+ html5 = (navigator.userAgent.indexOf('Firefox/3.5.') > -1);
var isInManualDispatch = false;
@@ -51,7 +53,7 @@
invalidEvent = evt;
if (isDrop) {
try {
- var data = desktop.getDragData(evt, 'Files');
+ var data = desktop.getDragData(evt, 'application/x-gears-files');
// The line above should always throw an exception, if we are in
// manual dispatch (as opposed to a genuine drag and drop event).
if (isInManualDispatch) {
@@ -77,45 +79,34 @@
document.getElementById('dropOutput').innerHTML = s;
}
desktop.setDragCursor(evt, 'copy');
- if (isFirefox) {
- if (isDrop) {
- evt.stopPropagation();
- }
- } else if (isIE || isSafari || isNpapi) {
- if (!isDrop) {
- evt.returnValue = false;
- }
+ if (isFirefox && isDrop) {
+ evt.stopPropagation();
+ }
+
+ if (html5 && !isDrop) {
+ evt.returnValue = false;
}
};
}
// For a discussion of various browsers' event models, see
// http://developer.apple.com/internet/webcontent/eventmodels.html
-if (isFirefox) {
- // Firefox uses different event names than IE, WebKit, and HTML5.
- // Specifically, dragexit instead of dragleave, and dragdrop for drop.
- document.addEventListener('dragenter', handler(false, true), false);
- document.addEventListener('dragover', handler(false, true), false);
- document.addEventListener('dragexit', handler(false, false), false);
- document.addEventListener('dragdrop', handler(true, false), false);
-} else if (isSafari || isNpapi) {
- document.addEventListener('dragenter', handler(false, true), false);
- document.addEventListener('dragover', handler(false, true), false);
- document.addEventListener('dragleave', handler(false, false), false);
- document.addEventListener('drop', handler(true, false), false);
-} else if (isIE) {
+if (isIE) {
document.documentElement.attachEvent('ondragenter', handler(false, true));
document.documentElement.attachEvent('ondragover', handler(false, true));
document.documentElement.attachEvent('ondragleave', handler(false, false));
document.documentElement.attachEvent('ondrop', handler(true, false));
} else {
- // TODO(nigeltao): implement (and test) on Chromium.
+ document.addEventListener('dragenter', handler(false, true), false);
+ document.addEventListener('dragover', handler(false, true), false);
+ document.addEventListener(html5 ? 'dragleave' : 'dragexit', handler(false,
false), false);
+ document.addEventListener(html5 ? 'drop' : 'dragdrop', handler(true,
false), false);
}
function tryGetDragData(evt) {
document.getElementById('eventTypeOutput').innerHTML = evt.type;
try {
- desktop.getDragData(evt, 'Files');
+ desktop.getDragData(evt, 'application/x-gears-files');
// The line above should always throw an exception.
alert('Gears drag and drop has a potential security hole.');
} catch (ex) {
@@ -151,9 +142,9 @@
// This event listener will catch both natural mouseover events, and those
// mouseover events dispatched by the tryDispatchEvent function above.
-if (isFirefox || isSafari) {
+if (document.addEventListener) {
document.addEventListener('mouseover', tryGetDragData, false);
-} else if (isIE) {
+} else if (document.attachEvent) {
document.attachEvent('onmouseover', tryGetDragData);
}
