Bureaucrats, canmove, Confirmed users
642
edits
Firefox 3.6/HTML5 File Objects Security Review: Difference between revisions
Jump to navigation
Jump to search
m
Firefox 3.6/HTML5 File Objects Security Review (view source)
Revision as of 21:26, 25 August 2009
, 25 August 2009→Review comments
| Line 51: | Line 51: | ||
* Page gets info about file. Should not include path (currently doesn't), name and extension is OK. | * Page gets info about file. Should not include path (currently doesn't), name and extension is OK. | ||
* only transfer data between pages with the same principal | * only transfer data between pages with the same principal | ||
* once a page gets a "DOMFile" reference it can read that file as long as the page is open, including any future edits during that time. This may be counter-intuitive to users who expect pages to get a "copy" of the file when it's dropped/submitted. | |||
* <jesse> allowing file drops turns window.moveTo into a security hole. maybe fixing https://bugzilla.mozilla.org/show_bug.cgi?id=502561 needs to block supporting file drops. | |||