======================================================================== http://mondrian.corp.google.com/file/12175016///depot/googleclient/gears/opensource/gears/test/manual/drag_and_drop_set_data_attack.html?a=2 File //depot/googleclient/gears/opensource/gears/test/manual/drag_and_drop_set_data_attack.html (snapshot 2) ------------------------------------ Line 1: Spurious new line. ------------------------------------ Line 36: html5 = (navigator.userAgent.indexOf('Firefox/3.5.') > -1); As per your other CL, I would check for Firefox 2.0 and 3.0, not check for 3.5. ------------------------------------ Line 39: if (typeof event.stopPropagation === 'function') Double-space between typeof and event. ------------------------------------ Line 62: // alert(evt.dataTransfer.getData(dataType())); Nix this line? ------------------------------------ Line 71: if (data.files[i].name == fileBasename()) I wouldn't check the basename -- if there was some subtle bug that made it "notepad" rather than "notepad.exe" then this test might return a false negative.
I would keep the test as, if data.files.length is non-zero then we have a potential security hole. ======================================================================== -- To respond, reply to this email or visit http://mondrian.corp.google.com/12175016
