Comment 82 for bug 131145

I talked to Michael and dveditz about the implementation. One of the main concerns was outlined by Jesse in comment 20 , tricking the user to drag/drop onto the wrong site.

A malicious site could frame a good site which has a drag and drop. However the malicious site wouldn't be able to access the file contents due to scripting restrictions. The code prevents event propagation for a drag and drop event.

A similar attack would be if code injection was found on a good site and used to frame a bad site drag/drop control. However this is a moot point since the attacker can already inject their own code on the good site.

The last concern was if there were non-file elements in the DataTransfer object. The code retrieves a file list and ignores non-file elements.

We may want to revisit drag and drop as the HTML5 File API is implemented, but the review for this bug has been completed.