906411 - user event.dataTransfer.clearData in ondragend doesn't allow modifications

Status: UNCONFIRMED

(Core :: DOM: Copy & Paste and Drag & Drop, defect)

Description

[joenix]

Attachment: dnd-clearData.html

User Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.97 Safari/537.11

Steps to reproduce:

user event.dataTransfer.clearData in ondragend


Actual results:

Modifications are not allowed for this document


Expected results:

Removes the data of the specified formats. Removes all data if the argument is omitted.

Comment 1

[Andrew McCreight [:mccr8]]

This doesn't look like a security issue to me.

Comment 2

[Neil Deakin]

The actual expected result is that nothing should happen. clearData only has any effect during dragstart. We throw an exception because this was implemented before the spec said much about what to do in this case.

Comment 3

[Karl Dubost💡 :karlcow]

dragend event should not allow the modification of the dataStore.
according to
https://html.spec.whatwg.org/multipage/dnd.html#dndevents

The drag data store mode is
drop -> read-only mode
dragend -> protected mode

Protected mode.
https://html.spec.whatwg.org/multipage/dnd.html#concept-dnd-p

For all other events. The formats and kinds in the drag data store list of items representing dragged data can be enumerated, but the data itself is unavailable and no new data can be added.

btw it seems that Firefox is making the data accessible on drag end, while the spec suggests it should not be possible, if I read correctly.

Comment 4

[Dennis Schubert [:denschub]]

We don't have any evidence for this breaking sites in Firefox, setting P3 for now.