[DOM] Don't allow internal MIME types to be assigned to DataTransfer

We already blocked x-moz-file(-promise) and x-moz-place* but of course people
would find ways to abuse other internal types. This change now blocks everything
except x-moz-url types which are harmless. (i.e. whitelist instead of blacklist)

1 files changed, 6 insertions, 1 deletions

diff --git a/widget/nsITransferable.idl b/widget/nsITransferable.idl
index b128586dd1..e580673f5e 100644
--- a/widget/nsITransferable.idl
+++ b/widget/nsITransferable.idl
@@ -13,12 +13,17 @@ interface nsIPrincipal;
 
 %{ C++
 
+// Internal formats must have their second part starting with 'x-moz-',
+// for example text/x-moz-internaltype. These cannot be assigned by
+// unprivileged content but all other types can.
+#define kInternal_Mimetype_Prefix   "/x-moz-"
+
 // these probably shouldn't live here, but in some central repository shared
 // by the entire app.
 #define kTextMime                   "text/plain"
 #define kRTFMime                    "text/rtf"
 #define kUnicodeMime                "text/unicode"
-#define kMozTextInternal          "text/x-moz-text-internal"  // text data which isn't suppoed to be parsed by other apps.
+#define kMozTextInternal            "text/x-moz-text-internal"  // text data which isn't suppoed to be parsed by other apps.
 #define kHTMLMime                   "text/html"
 #define kAOLMailMime                "AOLMAIL"
 #define kPNGImageMime               "image/png"