Disable RTF in JavaScript drag-and-drop

https://bugs.webkit.org/show_bug.cgi?id=76597

Reviewed by Maciej Stachowiak.

Source/WebCore:

Test: fast/events/drag-and-drop-subframe-dataTransfer.html

* platform/mac/ClipboardMac.mm:
(WebCore::cocoaTypeFromHTMLClipboardType):

LayoutTests:

* fast/events/drag-and-drop-subframe-dataTransfer-expected.txt: Added.
* fast/events/drag-and-drop-subframe-dataTransfer.html: Added.
* fast/events/resources/file-for-drag-and-drop-subframe-dataTransfer.html: Added.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@115513 268f45cc-cd09-0410-ab3c-d52691b4dbfc

diff --git a/LayoutTests/ChangeLog b/LayoutTests/ChangeLog
index b818fae..e56176d 100644 (file)
--- a/LayoutTests/ChangeLog
+++ b/LayoutTests/ChangeLog
@@ -1,3 +1,14 @@
+2012-04-24  Jeffrey Pfau  <jpfau@apple.com>
+
+        Disable RTF in JavaScript drag-and-drop
+        https://bugs.webkit.org/show_bug.cgi?id=76597
+
+        Reviewed by Maciej Stachowiak.
+
+        * fast/events/drag-and-drop-subframe-dataTransfer-expected.txt: Added.
+        * fast/events/drag-and-drop-subframe-dataTransfer.html: Added.
+        * fast/events/resources/file-for-drag-and-drop-subframe-dataTransfer.html: Added.
+
 2012-04-27  Sudarsana Nagineni  <sudarsana.nagineni@linux.intel.com>
 
         [EFL] [DRT] Unskip passing tests related to editing commands

diff --git a/LayoutTests/fast/events/drag-and-drop-subframe-dataTransfer-expected.txt b/LayoutTests/fast/events/drag-and-drop-subframe-dataTransfer-expected.txt
new file mode 100644 (file)
index 0000000..7ef22e9
--- /dev/null
+++ b/LayoutTests/fast/events/drag-and-drop-subframe-dataTransfer-expected.txt
@@ -0,0 +1 @@
+PASS

diff --git a/LayoutTests/fast/events/drag-and-drop-subframe-dataTransfer.html b/LayoutTests/fast/events/drag-and-drop-subframe-dataTransfer.html
new file mode 100644 (file)
index 0000000..5e90709
--- /dev/null
+++ b/LayoutTests/fast/events/drag-and-drop-subframe-dataTransfer.html
@@ -0,0 +1,53 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+function onDrop(evt) {
+       document.body.innerHTML = 'PASS';
+       if (!evt.dataTransfer.types) return;
+       for (var i = 0, type; type = evt.dataTransfer.types[i]; i++) {
+               clip = evt.dataTransfer.getData(type);
+               if (typeof clip == 'string' && clip.indexOf('FAIL') != -1)
+                       document.body.innerHTML = 'FAIL';
+       }
+       evt.preventDefault();
+       window.layoutTestController.notifyDone();
+}
+
+function runTest() {
+       window.layoutTestController.dumpAsText();
+       window.layoutTestController.waitUntilDone();
+       var d = document.getElementById('drag');
+       var o = document.getElementById('drop');
+       eventSender.mouseMoveTo(d.offsetLeft + d.offsetWidth / 2, d.offsetTop + d.offsetHeight / 2);
+       eventSender.mouseDown();
+       eventSender.leapForward(100);
+       eventSender.mouseMoveTo(o.offsetLeft + o.offsetWidth / 2, o.offsetTop + o.offsetHeight / 2);
+       eventSender.mouseUp();
+}
+
+window.onload = function() {
+       var d = document.getElementById('drag');
+       var r = document.createRange();
+       r.selectNode(d);
+       getSelection().removeAllRanges();
+       getSelection().addRange(r);
+       document.getElementById('drop').addEventListener('drop', onDrop, true);
+       window.addEventListener('dragover', function(x) { x.preventDefault() }, true);
+       window.addEventListener('dragstart', function(x) { window.focus() }, true);
+
+       if (window.layoutTestController)
+               runTest();
+}
+</script>
+</head>
+<body>
+Dragging this iframe onto a drop target should not expose its contents.
+<div id="drag" style="-webkit-user-drag: element ">
+&rarr;
+<iframe src="resources/file-for-drag-and-drop-subframe-dataTransfer.html"></iframe>
+&larr;
+</div>
+<input id="drop">
+</body>
+</html>

diff --git a/LayoutTests/fast/events/resources/file-for-drag-and-drop-subframe-dataTransfer.html b/LayoutTests/fast/events/resources/file-for-drag-and-drop-subframe-dataTransfer.html
new file mode 100644 (file)
index 0000000..3cfcb61
--- /dev/null
+++ b/LayoutTests/fast/events/resources/file-for-drag-and-drop-subframe-dataTransfer.html
@@ -0,0 +1 @@
+FAIL - This information should not be accessible from dataTransfer.getData()

diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
index 936e899..3c6b1ba 100644 (file)
--- a/Source/WebCore/ChangeLog
+++ b/Source/WebCore/ChangeLog
@@ -1,3 +1,15 @@
+2012-04-24  Jeffrey Pfau  <jpfau@apple.com>
+
+        Disable RTF in JavaScript drag-and-drop
+        https://bugs.webkit.org/show_bug.cgi?id=76597
+
+        Reviewed by Maciej Stachowiak.
+
+        Test: fast/events/drag-and-drop-subframe-dataTransfer.html
+
+        * platform/mac/ClipboardMac.mm:
+        (WebCore::cocoaTypeFromHTMLClipboardType):
+
 2012-04-26  James Robinson  <jamesr@chromium.org>
 
         [chromium] Separate IOSurface layer type from texture layers

diff --git a/Source/WebCore/platform/mac/ClipboardMac.mm b/Source/WebCore/platform/mac/ClipboardMac.mm
index cd07d89..e7a4bb8 100644 (file)
--- a/Source/WebCore/platform/mac/ClipboardMac.mm
+++ b/Source/WebCore/platform/mac/ClipboardMac.mm
@@ -88,6 +88,10 @@ static String cocoaTypeFromHTMLClipboardType(const String& type)
         // special case because UTI doesn't work with Cocoa's URL type
         return String(NSURLPboardType); // note special case in getData to read NSFilenamesType
 
+    // Blacklist types that might contain subframe information
+    if (qType == "text/rtf" || qType == "public.rtf" || qType == "com.apple.traditional-mac-plain-text")
+        return String();
+
     // Try UTI now
     String mimeType = qType;
     RetainPtr<CFStringRef> utiType(AdoptCF, UTTypeCreatePreferredIdentifierForTag(kUTTagClassMIMEType, mimeType.createCFString(), NULL));