-
dcheng@chromium.org authored
There are two separate bugs that this and the corresponding Chrome patch aim to address: - On Linux, files and URLs are transferred in the same MIME type, so it's impossible to tell if a filename was set by a trusted source or forged by web content. - DownloadURL triggers the download of potentially cross-origin content. On some platforms, such as Windows, the resulting download is treated as a file drag by Chrome, allowing web content to read cross origin content. In order to prevent web content from doing this, drags initiated by a renderer will be marked as tainted. When tainted drags are over web content, Blink will only allow the resulting filename to be used for navigation, with Chrome enforcing this with the sandbox policy. Unfortunately, this does break some potentially interesting use cases like being able to drag an attachment from Gmail to a file input, but those will have to be separately addressed, if possible. BUG=346135 R=abarth@chromium.org, tony@chromium.org Review URL: https://codereview.chromium.org/193803002 git-svn-id: svn://svn.chromium.org/blink/trunk@169711 bbb929c8-8fbe-4397-9dbb-9b2b20218538
2978880d
