Bug 131767 - Local files should not be allowed to read pasteboard data during drag
Summary: Local files should not be allowed to read pasteboard data during drag
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore Misc. (show other bugs)
Version: 528+ (Nightly build)
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Alexey Proskuryakov
URL:
Keywords:
Depends on: 131770
Blocks:
  Show dependency treegraph
 
Reported: 2014-04-16 15:12 PDT by Alexey Proskuryakov
Modified: 2014-04-27 10:23 PDT (History)
2 users (show)

See Also:

Attachments
proposed patch (7.03 KB, patch)
2014-04-25 12:43 PDT, Alexey Proskuryakov 		no flags Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexey Proskuryakov 2014-04-16 15:12:54 PDT 
As implemented in <http://trac.webkit.org/changeset/6840> for Dashboard, local files are allowed to read pasteboard data during drag, while normal documents can only do that during drop even handling.

Even local documents should not be allowed to sniff content simply dragged over them, they are not that trusted. I'm going to make this a Dashboard quirk instead.
Comment 1 Alexey Proskuryakov 2014-04-25 12:43:14 PDT 
Created attachment 230191 [details]
proposed patch
Comment 2 WebKit Commit Bot 2014-04-26 19:48:47 PDT 
Comment on attachment 230191 [details]
proposed patch

Clearing flags on attachment: 230191

Committed r167850: <http://trac.webkit.org/changeset/167850>
Comment 3 WebKit Commit Bot 2014-04-26 19:48:50 PDT 
All reviewed patches have been landed.  Closing bug.
Comment 4 Darin Adler 2014-04-27 10:23:23 PDT 
Comment on attachment 230191 [details]
proposed patch

View in context: https://bugs.webkit.org/attachment.cgi?id=230191&action=review

> Source/WebCore/page/DragController.cpp:186
> +        DataTransferAccessPolicy::Readable : DataTransferAccessPolicy::TypesReadable;

Missing indentation here. I normally find that this:

    <long line>
        ? x : y;

Is more readable than:

    <long line> ?
        x : y;

But the code above is:

    <long line> ?
    x : y;