[Webkit-unassigned] [Bug 114646] New: Add a warning prompt to saving files to local filesystem via browser drag-n-drop
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Mon Apr 15 15:58:41 PDT 2013
https://bugs.webkit.org/show_bug.cgi?id=114646
Summary: Add a warning prompt to saving files to local
filesystem via browser drag-n-drop
Product: WebKit
Version: 528+ (Nightly build)
Platform: All
OS/Version: All
Status: UNCONFIRMED
Severity: Normal
Priority: P2
Component: WebCore Misc.
AssignedTo: webkit-unassigned at lists.webkit.org
ReportedBy: frankxrwang at gmail.com
Security concern related to feature developed in Bug 31090, whatwg proposal here. (http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2009-August/022118.html)
Consequences
Spoofing is possible when what the user sees and drags is different from what is actually being dropped to the desktop.
Steps to repro:
1. Goto https://dl.dropboxusercontent.com/u/22570867/dragout.html
2. drag the image to your local filesystem
3. you get a executabe file instead of the image that is being dragged
This is not a user expected behavior because the user is expecting what is being dragged (an image), not an executable.
Countermeasures
Add a warning dialog or a save-file prompt before saving that file to the local disk so that the user knows what file the browser is actually downloading.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list