114646 – Add a warning prompt to saving files to local filesystem via browser drag-n-drop

RESOLVED DUPLICATE of bug 114699 114646

Add a warning prompt to saving files to local filesystem via browser drag-n-drop

https://bugs.webkit.org/show_bug.cgi?id=114646

Summary Add a warning prompt to saving files to local filesystem via browser drag-n-drop

Xiaoran

Reported 2013-04-15 15:56:58 PDT

Security concern related to feature developed in Bug 31090, whatwg proposal here. (http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2009-August/022118.html) Consequences Spoofing is possible when what the user sees and drags is different from what is actually being dropped to the desktop. Steps to repro: 1. Goto https://dl.dropboxusercontent.com/u/22570867/dragout.html 2. drag the image to your local filesystem 3. you get a executabe file instead of the image that is being dragged This is not a user expected behavior because the user is expecting what is being dragged (an image), not an executable. Countermeasures Add a warning dialog or a save-file prompt before saving that file to the local disk so that the user knows what file the browser is actually downloading.

Attachments
Add attachment proposed patch, testcase, etc.

Xiaoran

Comment 1 2013-04-16 13:24:54 PDT

Moved the bug to security section because it's related to security. *** This bug has been marked as a duplicate of bug 114699 ***

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution DUPLICATE

of bug 114699

Priority P2

Severity Normal

Classification Unclassified

Version 528+ (Nightly build)

Hardware All

OS All

Product WebKit

Component WebCore Misc.

Assignee

Nobody

Reported

2013-04-15 15:56 PDT

Modified

2013-04-16 13:24 PDT History

CC List

0 users

URL

Keywords

Depends on

Blocks