845194 - Cross-domain drag and drop across IFrames.

Status: NEW

(Core :: DOM: Copy & Paste and Drag & Drop, defect)

Description

[ahamed.nafeez]

User Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1364.97 Safari/537.22

Steps to reproduce:

Drag the contents/view-source of a page in to a cross-domain IFrame.


Actual results:

The Contents/view-source of the page becomes successfully available in a TextArea inside the cross-origin IFrame.


Expected results:

The contents/view-source details should be allowed to be extracted cross-domain.
Here's the PoC,
http://test.skepticfx.com/iframe/dragff.php?url=http://www.owasp.org
This is a defect in the previous fix for a similar bug.
https://bugzilla.mozilla.org/show_bug.cgi?id=605991

Comment 3

[Andrew McCreight [:mccr8]]

Matt, could you see if this still reproduces?  A similar bug has been fixed.  Thanks.

Comment 4

[Matt Wobensmith [:mwobensmith][:matt:]]

This still works in m-c 2013-07-10.

Comment 5

[Stephanie Ouillon [:arroway] (needinfo me)]

Firefox Aurora and latest Nightly are still vulnerable to this (new poc: https://pastie.se/6751704e)

Comment 6

[Florian Bender]

(In reply to ahamed.nafeez from comment #0)
> Expected results:
> 
> The contents/view-source details should be allowed to be extracted
> cross-domain.

I assume "should NOT be allowed"?

Comment 7

[ahamed.nafeez]

Yep!
It was a typo.

(In reply to Florian Bender from comment #6)
> (In reply to ahamed.nafeez from comment #0)
> > Expected results:
> > 
> > The contents/view-source details should be allowed to be extracted
> > cross-domain.
> 
> I assume "should NOT be allowed"?