Requirement to exploit: Convince the user to drag something (within the browser window is sufficient). Impact: CheckLoadURI bypassed. I don't remember how bad this is.
Demo CSS based on demo in bug 206859.
The other demo probably only works on Windows. This one uses a chrome: URL instead of a file: URL.
Attachment #152746 - Attachment is obsolete: true
If you combine this with bug 250862, this is an arbitrary code execution hole. See demo in bug 250862 comment 1.
Assignee: dveditz → jst
Component: Security: General → DOM: Events
Btw, this check has to be done for dragged text as well as dragged links.
personally i rely on these drags to work. i'd rather we fix the status bar and a tooltip to not be forgable or otherwise obscurable so that people can see what they're actually taking with them.
timeless: stop relying on security holes :)
15 years ago
Flags: blocking-aviary1.0PR? → blocking-aviary1.0PR+
15 years ago
Priority: -- → P1
jst: Did you try the demo in bug 250862?
No, I wrote up my own testcase, and obviously something went wrong there... With that testcase I do see the bug. I've got a patch that fixes that for Firefox, attaching...
Attachment #156548 - Attachment is obsolete: true
minus on this one since it is now tracked in http://bugzilla.mozilla.org/show_bug.cgi?id=250862
*** This bug has been marked as a duplicate of 285438 ***
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.