Bug 114646
| Summary: | Add a warning prompt to saving files to local filesystem via browser drag-n-drop | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Xiaoran <frankxrwang> |
| Component: | WebCore Misc. | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED DUPLICATE | ||
| Severity: | Normal | ||
| Priority: | P2 | ||
| Version: | 528+ (Nightly build) | ||
| Hardware: | All | ||
| OS: | All | ||
Xiaoran
Security concern related to feature developed in Bug 31090, whatwg proposal here. (http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2009-August/022118.html)
Consequences
Spoofing is possible when what the user sees and drags is different from what is actually being dropped to the desktop.
Steps to repro:
1. Goto https://dl.dropboxusercontent.com/u/22570867/dragout.html
2. drag the image to your local filesystem
3. you get a executabe file instead of the image that is being dragged
This is not a user expected behavior because the user is expecting what is being dragged (an image), not an executable.
Countermeasures
Add a warning dialog or a save-file prompt before saving that file to the local disk so that the user knows what file the browser is actually downloading.
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Xiaoran
Moved the bug to security section because it's related to security.
*** This bug has been marked as a duplicate of bug 114699 ***