-
dcheng@chromium.org authored
As it turns out, we only needed to patch the Chrome side. > Prevent web content from forging File entries in drag and drop. > > There are two separate bugs that this and the corresponding Chrome patch > aim to address: > - On Linux, files and URLs are transferred in the same MIME type, so > it's impossible to tell if a filename was set by a trusted source or > forged by web content. > - DownloadURL triggers the download of potentially cross-origin content. > On some platforms, such as Windows, the resulting download is treated > as a file drag by Chrome, allowing web content to read cross origin > content. > > In order to prevent web content from doing this, drags initiated by a > renderer will be marked as tainted. When tainted drags are over web > content, Blink will only allow the resulting filename to be used for > navigation, with Chrome enforcing this with the sandbox policy. > > Unfortunately, this does break some potentially interesting use cases > like being able to drag an attachment from Gmail to a file input, but > those will have to be separately addressed, if possible. > > BUG=346135 > R=abarth@chromium.org, tony@chromium.org > > Review URL: https://codereview.chromium.org/193803002 TBR=dcheng@chromium.org Review URL: https://codereview.chromium.org/211853002 git-svn-id: svn://svn.chromium.org/blink/trunk@169979 bbb929c8-8fbe-4397-9dbb-9b2b20218538
b65d8f8d
