Mark drags starting in web content as tainted to avoid file path forgery

ui/base/dragdrop/os_exchange_data.h

Index: ui/base/dragdrop/os_exchange_data.h
diff --git a/ui/base/dragdrop/os_exchange_data.h b/ui/base/dragdrop/os_exchange_data.h
index 8b848ce9ae6176478da534a93e353a03d89711f3..ee456efaa5c27ff08697df77ed9f07a9bd1fd286 100644
--- a/ui/base/dragdrop/os_exchange_data.h
+++ b/ui/base/dragdrop/os_exchange_data.h
@@ -102,6 +102,9 @@ class UI_BASE_EXPORT OSExchangeData {
 
     virtual Provider* Clone() const = 0;
 
+    virtual void MarkRendererTainted() = 0;
+    virtual bool IsRendererTainted() const = 0;

[tony, 2014/03/21 23:09:00]

Nit: I would name these something more explicit.  E.g.,
MarkOriginateFromRenderer(), DoesOriginateFromRenderer() or something.

[dcheng, 2014/03/21 23:57:07]

Done.

+
     virtual void SetString(const base::string16& data) = 0;
     virtual void SetURL(const GURL& url, const base::string16& title) = 0;
     virtual void SetFilename(const base::FilePath& path) = 0;
@@ -163,6 +166,12 @@ class UI_BASE_EXPORT OSExchangeData {
   const Provider& provider() const { return *provider_; }
   Provider& provider() { return *provider_; }
 
+  // Marks drag data as tainted if it originates from the renderer. This is used
+  // to avoid granting privileges to a renderer when dragging in tainted data,
+  // since it could allow potential escalation of privileges.
+  void MarkRendererTainted();
+  bool IsRendererTainted() const;
+
   // These functions add data to the OSExchangeData object of various Chrome
   // types. The OSExchangeData object takes care of translating the data into
   // a format suitable for exchange with the OS.