Status

()

Core
DOM: Security
P5
normal
3 years ago
2 years ago

People

(Reporter: polomski.piotr, Unassigned, NeedInfo)

Tracking

31 Branch
x86_64
Linux
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [domsecurity-backlog], URL)

(Reporter)

Description

3 years ago
User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.120 Safari/537.36

Steps to reproduce:

Please visit test page with iframes http://msdrop.com/msdrop-jquery-test-iframe-frameset.htm

There are images or link, or use selected text for drag and drop on iframes. Just start dragging on A, B, C, D iframes for reproduce.

Iframe A src is from the same domain no sandbox sttribute
Iframe B src is from the other domain no sandbox sttribute
Iframe C src is from the same domain + sandbox="allow-scripts"
Iframe D src is from the other domain + sandbox="allow-scripts"



Actual results:

Iframe A - dragover, dragleave, drop works 
Iframe B - dragover, dragleave, drop works
Iframe C - dragover, dragleave, drop NOT works
Iframe D - dragover, dragleave, drop works


Expected results:

Iframe B - source is from other domain so dragover, dragleave, drop should NOT working without sandbox sttribute="allow-scripts"

Iframe C - scripts are allowed, and this is the same domain so dragover, dragleave, drop should working as in IFRAME A
(Reporter)

Updated

3 years ago
Version: unspecified → 31 Branch
(Reporter)

Comment 1

3 years ago
Windows FireFox and Linux Iceweasel gives the same result.

In Chrome/Chromium and Internet Explorer on iframes B, C, D dragover, dragleave, drop NOT works 

But in Opera on iframes B, C, D dragover, dragleave and drop works.

Updated

3 years ago
Component: Untriaged → DOM: Security
Product: Firefox → Core

Comment 2

2 years ago
Hi Olli,
Can you take a look at this bug?  Is this an issue we need to fix?
Flags: needinfo?(bugs)
Status: UNCONFIRMED → NEW
Ever confirmed: true
Priority: -- → P5
Whiteboard: [domsecurity-backlog]
You need to log in before you can comment on or make changes to this bug.