I talked to Michael and dveditz about the implementation. One of the main concerns was outlined by Jesse in comment 20 , tricking the user to drag/drop onto the wrong site.
A malicious site could frame a good site which has a drag and drop. However the malicious site wouldn't be able to access the file contents due to scripting restrictions. The code prevents event propagation for a drag and drop event. A similar attack would be if code injection was found on a good site and used to frame a bad site drag/drop control. However this is a moot point since the attacker can already inject their own code on the good site. The last concern was if there were non-file elements in the DataTransfer object. The code retrieves a file list and ignores non-file elements. We may want to revisit drag and drop as the HTML5 File API is implemented, but the review for this bug has been completed. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/131145 Title: Dragging icon from Nautilus to HTML File Input box does not work To manage notifications about this bug go to: https://bugs.launchpad.net/firefox/+bug/131145/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
