HTML Standard
6.11
Drag and drop
6.11.1
Introduction
6.11.2
The drag data store
6.11.3
The
DataTransfer
interface
6.11.3.1
The
DataTransferItemList
interface
6.11.3.2
The
DataTransferItem
interface
6.11.4
The
DragEvent
interface
6.11.5
Processing model
6.11.6
Events summary
6.11.7
The
draggable
attribute
6.11.8
Security risks in the drag-and-drop model
6.11
Drag and drop
HTML_Drag_and_Drop_API
Support in all current engines.
Firefox
3.5+
Safari
3.1+
Chrome
4+
Opera
12+
Edge
79+
Edge (Legacy)
18
Internet Explorer
5.5+
Firefox Android
4+
Safari iOS
2+
Chrome Android
18+
WebView Android
4.4+
Samsung Internet
1.5+
Opera Android
14+
This section defines an event-based drag-and-drop mechanism.
This specification does not define exactly what a
drag-and-drop operation
actually
is.
On a visual medium with a pointing device, a drag operation could be the default action of a
mousedown
event that is followed by a series of
mousemove
events, and the drop could be triggered by the mouse
being released.
When using an input modality other than a pointing device, users would probably have to
explicitly indicate their intention to perform a drag-and-drop operation, stating what they wish
to drag and where they wish to drop it, respectively.
However it is implemented, drag-and-drop operations must have a starting point (e.g. where the
mouse was clicked, or the start of the selection or element that was selected for the drag), may
have any number of intermediate steps (elements that the mouse moves over during a drag, or
elements that the user picks as possible drop points as they cycle through possibilities), and must
either have an end point (the element above which the mouse button was released, or the element
that was finally selected), or be canceled. The end point must be the last element selected as a
possible drop point before the drop occurs (so if the operation is not canceled, there must be at
least one element in the middle step).
6.11.1
Introduction
This section is non-normative.
To make an element draggable, give the element a
draggable
attribute, and set an event listener for
dragstart
that
stores the data being dragged.
The event handler typically needs to check that it's not a text selection that is being
dragged, and then needs to store data into the
DataTransfer
object and set the
allowed effects (copy, move, link, or some combination).
For example:
What fruits do you like?
ol
ondragstart
"dragStartHandler(event)"
li
draggable
"true"
data-value
"fruit-apple"
Apples
li
li
draggable
"true"
data-value
"fruit-orange"
Oranges
li
li
draggable
"true"
data-value
"fruit-pear"
Pears
li
ol
script
var
internalDNDType
'text/x-example'
// set this to something specific to your site
function
dragStartHandler
event
if
event
target
instanceof
HTMLLIElement
// use the element's data-value="" attribute as the value to be moving:
event
dataTransfer
setData
internalDNDType
event
target
dataset
value
);
event
dataTransfer
effectAllowed
'move'
// only allow moves
else
event
preventDefault
();
// don't allow selection to be dragged
script
To accept a drop, the drop target has to listen to the following events:
The
dragenter
event handler reports
whether or not the drop target is potentially willing to accept the drop, by canceling the
event.
The
dragover
event handler specifies what feedback
will be shown to the user, by setting the
dropEffect
attribute of the
DataTransfer
associated with the event. This event also needs to be canceled.
The
drop
event handler has a final chance to accept or
reject the drop. If the drop is accepted, the event handler must perform the drop operation on
the target. This event needs to be canceled, so that the
dropEffect
attribute's value can be used by the
source. Otherwise, the drop operation is rejected.
For example:
Drop your favorite fruits below:
ol
ondragenter
"dragEnterHandler(event)"
ondragover
"dragOverHandler(event)"
ondrop
"dropHandler(event)"
ol
script
var
internalDNDType
'text/x-example'
// set this to something specific to your site
function
dragEnterHandler
event
var
items
event
dataTransfer
items
for
var
items
length
++
var
item
items
];
if
item
kind
==
'string'
&&
item
type
==
internalDNDType
event
preventDefault
();
return
function
dragOverHandler
event
event
dataTransfer
dropEffect
'move'
event
preventDefault
();
function
dropHandler
event
var
li
document
createElement
'li'
);
var
data
event
dataTransfer
getData
internalDNDType
);
if
data
==
'fruit-apple'
li
textContent
'Apples'
else
if
data
==
'fruit-orange'
li
textContent
'Oranges'
else
if
data
==
'fruit-pear'
li
textContent
'Pears'
else
li
textContent
'Unknown Fruit'
event
target
appendChild
li
);
script
To remove the original element (the one that was dragged) from the display, the
dragend
event can be used.
For our example here, that means updating the original markup to handle that event:
What fruits do you like?
ol
ondragstart
"dragStartHandler(event)"
ondragend
"dragEndHandler(event)"
...as before...
ol
script
function
dragStartHandler
event
//
...as before...
function
dragEndHandler
event
if
event
dataTransfer
dropEffect
==
'move'
// remove the dragged element
event
target
parentNode
removeChild
event
target
);
script
6.11.2
The drag data store
The data that underlies a drag-and-drop operation, known as the
drag data store
consists of the following information:
drag data store item list
, which is a list of items representing the dragged
data, each consisting of the following information:
The drag data item kind
The kind of data:
Text
Text.
File
Binary data with a filename.
The drag data item type string
A Unicode string giving the type or format of the data, generally given by a
MIME
type
. Some values that are not
MIME types
are
special-cased for legacy reasons. The API does not enforce the use of
MIME types
; other values can be used as well. In all cases, however, the values
are all
converted to ASCII lowercase
by the API.
There is a limit of one
text
item per
item type string
The actual data
A Unicode or binary string, in some cases with a filename (itself a Unicode string),
as per
the drag data item kind
The
drag data store item list
is ordered in the order that the items were added
to the list; most recently added last.
The following information, used to generate the UI feedback during the drag:
User-agent-defined default feedback information, known as the
drag data store default
feedback
Optionally, a bitmap image and the coordinate of a point within that image, known as the
drag data store bitmap
and
drag data store hot spot coordinate
drag data store mode
, which is one of the following:
Read/write mode
For the
dragstart
event. New data can be added to the
drag data store
Read-only mode
For the
drop
event. The list of items representing dragged
data can be read, including the data. No new data can be added.
Protected mode
For all other events. The formats and kinds in the
drag data store
list of
items representing dragged data can be enumerated, but the data itself is unavailable and no
new data can be added.
drag data store allowed effects state
, which is a string.
When a
drag data store
is
created
, it
must be initialized such that its
drag data store item list
is empty, it has no
drag data store default feedback
, it has no
drag data store bitmap
and
drag data store hot spot coordinate
, its
drag data store mode
is
protected mode
, and its
drag data store allowed effects
state
is the string "
uninitialized
".
6.11.3
The
DataTransfer
interface
DataTransfer
Support in all current engines.
Firefox
3.5+
Safari
4+
Chrome
3+
Opera
12+
Edge
79+
Edge (Legacy)
12+
Internet Explorer
8+
Firefox Android
Safari iOS
Chrome Android
WebView Android
37+
Samsung Internet
Opera Android
12+
DataTransfer
objects are used to expose the
drag data store
that
underlies a drag-and-drop operation.
Exposed
Window
interface
DataTransfer
constructor
();
attribute
DOMString
dropEffect
attribute
DOMString
effectAllowed
SameObject
readonly
attribute
DataTransferItemList
items
undefined
setDragImage
Element
image
long
long
);
/* old interface */
readonly
attribute
FrozenArray
DOMString
types
DOMString
getData
DOMString
format
);
undefined
setData
DOMString
format
DOMString
data
);
undefined
clearData
optional
DOMString
format
);
SameObject
readonly
attribute
FileList
files
};
dataTransfer
= new
DataTransfer
()
DataTransfer/DataTransfer
Support in all current engines.
Firefox
62+
Safari
14.1+
Chrome
59+
Opera
Edge
79+
Edge (Legacy)
17+
Internet Explorer
No
Firefox Android
Safari iOS
Chrome Android
WebView Android
Samsung Internet
8.0+
Opera Android
44+
Creates a new
DataTransfer
object with an empty
drag data
store
dataTransfer
dropEffect
[ =
value
DataTransfer/dropEffect
Support in all current engines.
Firefox
3.5+
Safari
4+
Chrome
3+
Opera
12.1+
Edge
79+
Edge (Legacy)
12+
Internet Explorer
8+
Firefox Android
Safari iOS
Chrome Android
WebView Android
37+
Samsung Internet
Opera Android
12.1+
Returns the kind of operation that is currently selected. If the kind of operation isn't one
of those that is allowed by the
effectAllowed
attribute, then the operation will
fail.
Can be set, to change the selected operation.
The possible values are "
none
", "
copy
", "
link
", and "
move
".
dataTransfer
effectAllowed
[ =
value
DataTransfer/effectAllowed
Support in all current engines.
Firefox
3.5+
Safari
4+
Chrome
3+
Opera
12.1+
Edge
79+
Edge (Legacy)
12+
Internet Explorer
8+
Firefox Android
Safari iOS
Chrome Android
WebView Android
37+
Samsung Internet
Opera Android
12.1+
Returns the kinds of operations that are to be allowed.
Can be set (during the
dragstart
event), to change
the allowed operations.
The possible values are "
none
",
copy
", "
copyLink
", "
copyMove
", "
link
", "
linkMove
", "
move
", "
all
", and "
uninitialized
",
dataTransfer
items
DataTransfer/items
Support in all current engines.
Firefox
50+
Safari
11.1+
Chrome
3+
Opera
12+
Edge
79+
Edge (Legacy)
12+
Internet Explorer
No
Firefox Android
52+
Safari iOS
Chrome Android
WebView Android
37+
Samsung Internet
Opera Android
12+
Returns a
DataTransferItemList
object, with the drag data.
dataTransfer
setDragImage
element
DataTransfer/setDragImage
Support in all current engines.
Firefox
3.5+
Safari
4+
Chrome
3+
Opera
12.1+
Edge
79+
Edge (Legacy)
18
Internet Explorer
No
Firefox Android
Safari iOS
Chrome Android
WebView Android
37+
Samsung Internet
Opera Android
12.1+
Uses the given element to update the drag feedback, replacing any previously specified
feedback.
dataTransfer
types
DataTransfer/types
Support in all current engines.
Firefox
3.5+
Safari
4+
Chrome
3+
Opera
12.1+
Edge
79+
Edge (Legacy)
12+
Internet Explorer
10+
Firefox Android
Safari iOS
Chrome Android
WebView Android
37+
Samsung Internet
Opera Android
12.1+
Returns a
frozen array
listing the formats that were set in the
dragstart
event. In addition, if any files are being
dragged, then one of the types will be the string "
Files
".
data
dataTransfer
getData
format
DataTransfer/getData
Support in all current engines.
Firefox
3.5+
Safari
4+
Chrome
3+
Opera
12.1+
Edge
79+
Edge (Legacy)
12+
Internet Explorer
8+
Firefox Android
Safari iOS
Chrome Android
WebView Android
37+
Samsung Internet
Opera Android
12.1+
Returns the specified data. If there is no such data, returns the empty string.
dataTransfer
setData
format
data
DataTransfer/setData
Support in all current engines.
Firefox
3.5+
Safari
5+
Chrome
3+
Opera
12+
Edge
79+
Edge (Legacy)
12+
Internet Explorer
8+
Firefox Android
Safari iOS
5+
Chrome Android
WebView Android
37+
Samsung Internet
Opera Android
12+
Adds the specified data.
dataTransfer
clearData
([
format
])
DataTransfer/clearData
Support in all current engines.
Firefox
3.5+
Safari
4+
Chrome
3+
Opera
12.1+
Edge
79+
Edge (Legacy)
12+
Internet Explorer
8+
Firefox Android
Safari iOS
Chrome Android
WebView Android
37+
Samsung Internet
Opera Android
12.1+
Removes the data of the specified formats. Removes all data if the argument is
omitted.
dataTransfer
files
DataTransfer/files
Support in all current engines.
Firefox
3.6+
Safari
4+
Chrome
3+
Opera
12.1+
Edge
79+
Edge (Legacy)
12+
Internet Explorer
10+
Firefox Android
Safari iOS
Chrome Android
WebView Android
37+
Samsung Internet
Opera Android
12.1+
Returns a
FileList
of the files being dragged, if any.
DataTransfer
objects that are created as part of
drag-and-drop events
are only valid while those events are being fired.
DataTransfer
object is associated with a
drag data store
while it
is valid.
DataTransfer
object has an associated
types array
, which is a
FrozenArray
, initially empty. When the contents
of the
DataTransfer
object's
drag data store item list
change, or when
the
DataTransfer
object becomes no longer associated with a
drag data
store
, run the following steps:
Let
be an empty sequence.
If the
DataTransfer
object is still associated with a
drag data
store
, then:
For each item in the
DataTransfer
object's
drag data store item
list
whose
kind
is
text
, add an entry to
consisting of the item's
type string
If there are any items in the
DataTransfer
object's
drag data store
item list
whose
kind
is
File
, then
add an entry to
consisting of the string "
Files
". (This
value can be distinguished from the other values because it is not lowercase.)
Set the
DataTransfer
object's
types
array
to the result of
creating a frozen array
from
The
DataTransfer()
constructor, when invoked, must return a
newly created
DataTransfer
object initialized as follows:
Set the
drag data store
's
item
list
to be an empty list.
Set the
drag data store
's
mode
to
read/write mode
Set the
dropEffect
and
effectAllowed
to "none".
The
dropEffect
attribute controls the drag-and-drop
feedback that the user is given during a drag-and-drop operation. When the
DataTransfer
object is created, the
dropEffect
attribute is set to a string value. On
getting, it must return its current value. On setting, if the new value is one of "
none
", "
copy
", "
link
", or "
move
", then the attribute's current value
must be set to the new value. Other values must be ignored.
The
effectAllowed
attribute is used in the
drag-and-drop processing model to initialize the
dropEffect
attribute during the
dragenter
and
dragover
events. When the
DataTransfer
object is
created, the
effectAllowed
attribute is set
to a string value. On getting, it must return its current value. On setting, if the
drag data
store
's
mode
is the
read/write mode
and the new value is one of "
none
", "
copy
", "
copyLink
", "
copyMove
", "
link
", "
linkMove
", "
move
", "
all
", or "
uninitialized
", then the attribute's
current value must be set to the new value. Otherwise, it must be left unchanged.
The
items
attribute must return a
DataTransferItemList
object associated with the
DataTransfer
object.
The
setDragImage(
image
method must run the following steps:
If the
DataTransfer
object is no longer associated with a
drag data
store
, return. Nothing happens.
If the
drag data store
's
mode
is
not the
read/write mode
, return. Nothing
happens.
If
image
is an
img
element, then set the
drag data store
bitmap
to the element's image (at its
natural
size
); otherwise, set the
drag data store bitmap
to an image generated from
the given element (the exact mechanism for doing so is not currently specified).
Set the
drag data store hot spot coordinate
to the given
coordinate.
The
types
attribute must return this
DataTransfer
object's
types array
The
getData(
format
method must run the
following steps:
If the
DataTransfer
object is no longer associated with a
drag data
store
, then return the empty string.
If the
drag data store
's
mode
is
the
protected mode
, then return the empty string.
Let
format
be the first argument,
converted to ASCII
lowercase
Let
convert-to-URL
be false.
If
format
equals "
text
", change it to "
text/plain
".
If
format
equals "
url
", change it to "
text/uri-list
" and set
convert-to-URL
to true.
If there is no item in the
drag data store item list
whose
kind
is
text
and whose
type string
is equal to
format
, return the empty string.
Let
result
be the data of the item in the
drag data store item
list
whose
kind
is
Plain Unicode
string
and whose
type string
is equal to
format
If
convert-to-URL
is true, then parse
result
as appropriate for
text/uri-list
data, and then set
result
to the first URL from
the list, if any, or the empty string otherwise.
[RFC2483]
Return
result
The
setData(
format
data
method
must run the following steps:
If the
DataTransfer
object is no longer associated with a
drag data
store
, return. Nothing happens.
If the
drag data store
's
mode
is
not the
read/write mode
, return. Nothing
happens.
Let
format
be the first argument,
converted to ASCII
lowercase
If
format
equals "
text
", change it to "
text/plain
".
If
format
equals "
url
", change it to "
text/uri-list
".
Remove the item in the
drag data store item list
whose
kind
is
text
and whose
type string
is equal to
format
, if there is
one.
Add an item to the
drag data store item list
whose
kind
is
text
, whose
type string
is equal to
format
, and whose data is the string
given by the method's second argument.
The
clearData(
format
method must run the
following steps:
If the
DataTransfer
object is no longer associated with a
drag data
store
, return. Nothing happens.
If the
drag data store
's
mode
is
not the
read/write mode
, return. Nothing
happens.
If the method was called with no arguments, remove each item in the
drag data store
item list
whose
kind
is
Plain Unicode
string
, and return.
Set
format
to
format
converted to ASCII
lowercase
If
format
equals "
text
", change it to "
text/plain
".
If
format
equals "
url
", change it to "
text/uri-list
".
Remove the item in the
drag data store item list
whose
kind
is
text
and whose
type string
is equal to
format
, if there is
one.
The
clearData()
method does not
affect whether any files were included in the drag, so the
types
attribute's list might still not be empty after
calling
clearData()
(it would still contain the
Files
" string if any files were included in the drag).
The
files
attribute must return a
live
FileList
sequence consisting of
File
objects representing the files found by the following steps. Furthermore, for a
given
FileList
object and a given underlying file, the same
File
object
must be used each time.
Start with an empty list
If the
DataTransfer
object is no longer associated with a
drag data
store
, the
FileList
is empty. Return the empty list
If the
drag data store
's
mode
is
the
protected mode
, return the empty list
For each item in the
drag data store item list
whose
kind
is
File
, add the item's data (the file, in particular its name and contents, as well as
its
type
) to the list
The files found by these steps are those in the list
This version of the API does not expose the types of the files during the
drag.
6.11.3.1
The
DataTransferItemList
interface
DataTransferItemList
Support in all current engines.
Firefox
50+
Safari
6+
Chrome
13+
Opera
12+
Edge
79+
Edge (Legacy)
12+
Internet Explorer
No
Firefox Android
Safari iOS
Chrome Android
WebView Android
Samsung Internet
Opera Android
14+
Each
DataTransfer
object is associated with a
DataTransferItemList
object.
Exposed
Window
interface
DataTransferItemList
readonly
attribute
unsigned
long
length
getter
DataTransferItem
unsigned
long
index
);
DataTransferItem
add
DOMString
data
DOMString
type
);
DataTransferItem
add
File
data
);
undefined
remove
unsigned
long
index
);
undefined
clear
();
};
items
length
DataTransferItemList/length
Support in all current engines.
Firefox
50+
Safari
6+
Chrome
13+
Opera
12+
Edge
79+
Edge (Legacy)
12+
Internet Explorer
No
Firefox Android
Safari iOS
Chrome Android
WebView Android
Samsung Internet
Opera Android
14+
Returns the number of items in the
drag data store
items
index
Returns the
DataTransferItem
object representing the
index
th entry in
the
drag data store
items
remove
index
DataTransferItemList/remove
Support in all current engines.
Firefox
50+
Safari
6+
Chrome
31+
Opera
12+
Edge
79+
Edge (Legacy)
12+
Internet Explorer
No
Firefox Android
Safari iOS
Chrome Android
WebView Android
Samsung Internet
Opera Android
14+
Removes the
index
th entry in the
drag data store
items
clear
()
DataTransferItemList/clear
Support in all current engines.
Firefox
50+
Safari
6+
Chrome
13+
Opera
12+
Edge
79+
Edge (Legacy)
12+
Internet Explorer
No
Firefox Android
Safari iOS
Chrome Android
WebView Android
Samsung Internet
Opera Android
14+
Removes all the entries in the
drag data store
items
add
data
DataTransferItemList/add
Support in all current engines.
Firefox
50+
Safari
6+
Chrome
13+
Opera
12+
Edge
79+
Edge (Legacy)
12+
Internet Explorer
No
Firefox Android
Safari iOS
Chrome Android
WebView Android
Samsung Internet
Opera Android
14+
items
add
data
type
Adds a new entry for the given data to the
drag data store
. If the data is plain
text then a
type
string has to be provided also.
While the
DataTransferItemList
object's
DataTransfer
object is
associated with a
drag data store
, the
DataTransferItemList
object's
mode
is the same as the
drag data store mode
. When the
DataTransferItemList
object's
DataTransfer
object is
not
associated with a
drag data store
, the
DataTransferItemList
object's
mode
is the
disabled mode
. The
drag data store
referenced in this
section (which is used only when the
DataTransferItemList
object is not in the
disabled mode
) is the
drag data store
with which the
DataTransferItemList
object's
DataTransfer
object is associated.
The
length
attribute must return zero if the
object is in the
disabled mode
; otherwise it must return the number of items in the
drag data store item list
When a
DataTransferItemList
object is not in the
disabled mode
, its
supported property indices
are the
indices
of the
drag data store
item list
To
determine the value of an indexed property
of a
DataTransferItemList
object, the user agent must return a
DataTransferItem
object representing the
th item in the
drag data store
. The same object must be returned each time a particular item is
obtained from this
DataTransferItemList
object. The
DataTransferItem
object must be associated with the same
DataTransfer
object as the
DataTransferItemList
object when it is first created.
The
add()
method must run the following steps:
If the
DataTransferItemList
object is not in the
read/write mode
, return null.
Jump to the appropriate set of steps from the following list:
If the first argument to the method is a string
If there is already an item in the
drag data store item list
whose
kind
is
text
and whose
type string
is equal to the value of the
method's second argument,
converted to ASCII lowercase
, then throw a
NotSupportedError
DOMException
Otherwise, add an item to the
drag data store item list
whose
kind
is
text
, whose
type string
is equal to the value of the method's second
argument,
converted to ASCII lowercase
, and whose data is the string given by the
method's first argument.
If the first argument to the method is a
File
Add an item to the
drag data store item list
whose
kind
is
File
, whose
type
string
is the
type
of the
File
converted to ASCII lowercase
, and whose data is the same as the
File
's data.
Determine the value of the indexed property
corresponding to the newly added item, and return that value (a newly created
DataTransferItem
object).
The
remove(
index
method must run
these steps:
If the
DataTransferItemList
object is not in the
read/write mode
, throw an
InvalidStateError
DOMException
If the
drag data store
does not contain an
index
th item, then
return.
Remove the
index
th item from the
drag data store
The
clear()
method, if the
DataTransferItemList
object is in the
read/write mode
must remove all the items from the
drag data store
. Otherwise, it must do
nothing.
6.11.3.2
The
DataTransferItem
interface
DataTransferItem
Support in all current engines.
Firefox
50+
Safari
5.1+
Chrome
11+
Opera
12+
Edge
79+
Edge (Legacy)
12+
Internet Explorer
No
Firefox Android
Safari iOS
Chrome Android
WebView Android
4+
Samsung Internet
Opera Android
14+
Each
DataTransferItem
object is associated with a
DataTransfer
object.
Exposed
Window
interface
DataTransferItem
readonly
attribute
DOMString
kind
readonly
attribute
DOMString
type
undefined
getAsString
FunctionStringCallback
_callback
);
File
getAsFile
();
};
callback
FunctionStringCallback
undefined
DOMString
data
);
item
kind
DataTransferItem/kind
Support in all current engines.
Firefox
50+
Safari
5.1+
Chrome
11+
Opera
12+
Edge
79+
Edge (Legacy)
12+
Internet Explorer
No
Firefox Android
Safari iOS
Chrome Android
WebView Android
4+
Samsung Internet
Opera Android
14+
Returns
the drag data item kind
, one of: "string",
"file".
item
type
DataTransferItem/type
Support in all current engines.
Firefox
50+
Safari
5.1+
Chrome
11+
Opera
12+
Edge
79+
Edge (Legacy)
12+
Internet Explorer
No
Firefox Android
Safari iOS
Chrome Android
WebView Android
4+
Samsung Internet
Opera Android
14+
Returns
the drag data item type string
item
getAsString
callback
DataTransferItem/getAsString
Support in all current engines.
Firefox
50+
Safari
5.1+
Chrome
11+
Opera
12+
Edge
79+
Edge (Legacy)
12+
Internet Explorer
No
Firefox Android
Safari iOS
Chrome Android
WebView Android
4+
Samsung Internet
Opera Android
14+
Invokes the callback with the string data as the argument, if
the drag data item
kind
is
text
file
item
getAsFile
()
DataTransferItem/getAsFile
Support in all current engines.
Firefox
50+
Safari
5.1+
Chrome
11+
Opera
12+
Edge
79+
Edge (Legacy)
12+
Internet Explorer
No
Firefox Android
Safari iOS
Chrome Android
WebView Android
4+
Samsung Internet
Opera Android
14+
Returns a
File
object, if
the drag data item kind
is
File
While the
DataTransferItem
object's
DataTransfer
object is associated
with a
drag data store
and that
drag data store
's
drag data store
item list
still contains the item that the
DataTransferItem
object represents,
the
DataTransferItem
object's
mode
is the same as the
drag data store
mode
. When the
DataTransferItem
object's
DataTransfer
object is
not
associated with a
drag data store
, or if the item that the
DataTransferItem
object represents has been removed from the relevant
drag data
store item list
, the
DataTransferItem
object's
mode
is the
disabled
mode
. The
drag data store
referenced in this section (which is used only when the
DataTransferItem
object is not in the
disabled mode
) is the
drag data
store
with which the
DataTransferItem
object's
DataTransfer
object is associated.
The
kind
attribute must return the empty string if the
DataTransferItem
object is in the
disabled mode
; otherwise it must return the
string given in the cell from the second column of the following table from the row whose cell in
the first column contains
the drag data item kind
of the item represented by the
DataTransferItem
object:
Kind
String
Text
string
File
file
The
type
attribute must return the empty string if the
DataTransferItem
object is in the
disabled mode
; otherwise it must return
the drag data item type string
of the item represented by the
DataTransferItem
object.
The
getAsString(
callback
method
must run the following steps:
If the
callback
is null, return.
If the
DataTransferItem
object is not in the
read/write mode
or the
read-only mode
return. The callback is never invoked.
If
the drag data item kind
is not
text
, then return.
The callback is never invoked.
Otherwise,
queue a task
to invoke
callback
, passing the
actual data of the item represented by the
DataTransferItem
object as the
argument.
The
getAsFile()
method must run the following
steps:
If the
DataTransferItem
object is not in the
read/write mode
or the
read-only mode
then return null.
If
the drag data item kind
is not
File
, then return null.
Return a new
File
object representing the actual data of the item represented
by the
DataTransferItem
object.
6.11.4
The
DragEvent
interface
DragEvent/DragEvent
Support in all current engines.
Firefox
3.5+
Safari
14+
Chrome
46+
Opera
12+
Edge
79+
Edge (Legacy)
12+
Internet Explorer
No
Firefox Android
Safari iOS
No
Chrome Android
No
WebView Android
Samsung Internet
Opera Android
DragEvent
Support in all current engines.
Firefox
3.5+
Safari
14+
Chrome
46+
Opera
12+
Edge
79+
Edge (Legacy)
12+
Internet Explorer
9+
Firefox Android
Safari iOS
No
Chrome Android
No
WebView Android
Samsung Internet
Opera Android
The drag-and-drop processing model involves several events. They all use the
DragEvent
interface.
Exposed
Window
interface
DragEvent
MouseEvent
constructor
DOMString
type
optional
DragEventInit
eventInitDict
= {});
readonly
attribute
DataTransfer
dataTransfer
};
dictionary
DragEventInit
MouseEventInit
DataTransfer
dataTransfer
null
};
event
dataTransfer
DragEvent/dataTransfer
Support in all current engines.
Firefox
3.5+
Safari
14+
Chrome
46+
Opera
Edge
79+
Edge (Legacy)
12+
Internet Explorer
๐ฐ 10+
Firefox Android
Safari iOS
No
Chrome Android
No
WebView Android
Samsung Internet
Opera Android
Returns the
DataTransfer
object for the event.
Although, for consistency with other event interfaces, the
DragEvent
interface has a constructor, it is not particularly useful. In particular, there's no way to
create a useful
DataTransfer
object from script, as
DataTransfer
objects
have a processing and security model that is coordinated by the browser during drag-and-drops.
The
dataTransfer
attribute of the
DragEvent
interface must return the value it was initialized to. It represents the
context information for the event.
When a user agent is required to
fire a DND event
named
at an element,
using a particular
drag data store
, and optionally with a specific
related
target
, the user agent must run the following steps:
Let
dataDragStoreWasChanged
be false.
If no specific
related target
was provided, set
related target
to
null.
Let
window
be the
relevant global object
of the
Document
object of the specified target element.
If
is
dragstart
, then set the
drag data store mode
to the
read/write mode
and set
dataDragStoreWasChanged
to true.
If
is
drop
, set the
drag data store
mode
to the
read-only mode
Let
dataTransfer
be a newly created
DataTransfer
object
associated with the given
drag data store
Set the
effectAllowed
attribute to the
drag data
store
's
drag data store allowed effects state
Set the
dropEffect
attribute to "
none
" if
is
dragstart
drag
, or
dragleave
; to the value corresponding to the
current drag operation
if
is
drop
or
dragend
; and to a value based on the
effectAllowed
attribute's value and the
drag-and-drop source, as given by the following table, otherwise (i.e. if
is
dragenter
or
dragover
):
effectAllowed
dropEffect
none
none
copy
copy
copyLink
copy
", or,
if appropriate
, "
link
copyMove
copy
", or,
if appropriate
, "
move
all
copy
", or,
if appropriate
, either "
link
" or "
move
link
link
linkMove
link
", or,
if appropriate
, "
move
move
move
uninitialized
" when what is being dragged is a selection from a text control
move
", or,
if appropriate
, either "
copy
" or "
link
uninitialized
" when what is being dragged is a selection
copy
", or,
if appropriate
, either "
link
" or "
move
uninitialized
" when what is being dragged is an
element with an
href
attribute
link
", or,
if appropriate
, either "
copy
" or "
move
Any other case
copy
", or,
if appropriate
, either "
link
" or "
move
Where the table above provides
possibly
appropriate alternatives
, user agents may instead use the listed alternative values if
platform conventions dictate that the user has requested those alternate effects.
For example, Windows platform conventions are such that dragging while
holding the "alt" key indicates a preference for linking the data, rather than moving or copying
it. Therefore, on a Windows system, if "
link
" is an option according to
the table above while the "alt" key is depressed, the user agent could select that instead of
copy
" or "
move
".
Let
event
be the result of
creating an event
using
DragEvent
Initialize
event
's
type
attribute to
, its
bubbles
attribute to true, its
view
attribute to
window
, its
relatedTarget
attribute to
related
target
, and its
dataTransfer
attribute to
dataTransfer
If
is not
dragleave
or
dragend
, then initialize
event
's
cancelable
attribute to true.
Initialize
event
's mouse and key attributes according to the state of
the input devices as they would be for user interaction events.
If there is no relevant pointing device, then initialize
event
's
screenX
screenY
clientX
clientY
and
button
attributes to 0.
Dispatch
event
at the specified
target element.
Set the
drag data store allowed effects state
to the current value of
dataTransfer
's
effectAllowed
attribute. (It can only have changed value if
is
dragstart
.)
If
dataDragStoreWasChanged
is true, then set the
drag data store
mode
back to the
protected mode
Break the association between
dataTransfer
and the
drag data
store
6.11.5
Processing model
When the user attempts to begin a drag operation, the user agent must run the following steps.
User agents must act as if these steps were run even if the drag actually started in another
document or application and the user agent was not aware that the drag was occurring until it
intersected with a document under the user agent's purview.
Determine what is being dragged, as follows:
If the drag operation was invoked on a selection, then it is the selection that is being
dragged.
Otherwise, if the drag operation was invoked on a
Document
, it is the first
element, going up the ancestor chain, starting at the node that the user tried to drag, that has
the IDL attribute
draggable
set to true. If there is no such
element, then nothing is being dragged; return, the drag-and-drop operation is never
started.
Otherwise, the drag operation was invoked outside the user agent's purview. What is being
dragged is defined by the document or application where the drag was started.
img
elements and
elements with an
href
attribute have their
draggable
attribute set to true by default.
Create a drag data store
. All the DND events fired subsequently by the steps
in this section must use this
drag data store
Establish which DOM node is the
source node
, as follows:
If it is a selection that is being dragged, then the
source node
is the
Text
node that the user started the drag on (typically the
Text
node
that the user originally clicked). If the user did not specify a particular node, for example if
the user just told the user agent to begin a drag of "the selection", then the
source
node
is the first
Text
node containing a part of the selection.
Otherwise, if it is an element that is being dragged, then the
source node
is
the element that is being dragged.
Otherwise, the
source node
is part of another document or application. When this
specification requires that an event be dispatched at the
source node
in this case,
the user agent must instead follow the platform-specific conventions relevant to that
situation.
Multiple events are fired on the
source node
during the course of
the drag-and-drop operation.
Determine the
list of dragged nodes
, as follows:
If it is a selection that is being dragged, then the
list of dragged nodes
contains, in
tree order
, every node that is partially or completely included in the
selection (including all their ancestors).
Otherwise, the
list of dragged nodes
contains only the
source node
if any.
If it is a selection that is being dragged, then add an item to the
drag data store
item list
, with its properties set as follows:
The drag data item type string
text/plain
The drag data item kind
Text
The actual data
The text of the selection
Otherwise, if any files are being dragged, then add one item per file to the
drag data
store item list
, with their properties set as follows:
The drag data item type string
The MIME type of the file, if known, or "
application/octet-stream
" otherwise.
The drag data item kind
File
The actual data
The file's contents and name.
Dragging files can currently only happen from outside a
navigable
for example from a file system manager application.
If the drag initiated outside of the application, the user agent must add items to the
drag data store item list
as appropriate for the data being dragged, honoring
platform conventions where appropriate; however, if the platform conventions do not use
MIME types
to label dragged data, the user agent must make a
best-effort attempt to map the types to MIME types, and, in any case, all the
drag data item type strings
must be
converted to ASCII
lowercase
User agents may also add one or more items representing the selection or dragged element(s)
in other forms, e.g. as HTML.
If the
list of dragged nodes
is not empty, then
extract the microdata from those nodes into a JSON form
, and add one item to the
drag data store item list
, with its properties set as follows:
The drag data item type string
application/microdata+json
The drag data item kind
Text
The actual data
The resulting JSON string.
Run the following substeps:
Let
urls
be ยซ ยป.
For each
node
in the
list of dragged nodes
If the node is an
element with an
href
attribute
Add to
urls
the result of
encoding-parsing-and-serializing a URL
given the element's
href
content attribute's value,
relative to the element's
node document
If the node is an
img
element with a
src
attribute
Add to
urls
the result of
encoding-parsing-and-serializing a URL
given the element's
src
content attribute's value, relative to
the element's
node document
If
urls
is still empty, then return.
Let
url string
be the result of concatenating the strings in
urls
in the order they were added, separated by a U+000D CARRIAGE RETURN U+000A LINE FEED character
pair (CRLF).
Add one item to the
drag data store item list
, with its properties set as
follows:
The drag data item type string
text/uri-list
The drag data item kind
Text
The actual data
url string
Update the
drag data store default feedback
as appropriate for the user agent
(if the user is dragging the selection, then the selection would likely be the basis for this
feedback; if the user is dragging an element, then that element's rendering would be used; if
the drag began outside the user agent, then the platform conventions for determining the drag
feedback should be used).
Fire a DND event
named
dragstart
at the
source node
If the event is canceled, then the drag-and-drop operation should not occur; return.
Since events with no event listeners registered are, almost by definition, never
canceled, drag-and-drop is always available to the user if the author does not specifically
prevent it.
Fire a pointer event
at the
source node
named
pointercancel
, and fire any other follow-up events as
required by
Pointer Events
[POINTEREVENTS]
Initiate the drag-and-drop operation
in a manner consistent with platform
conventions, and as described below.
The drag-and-drop feedback must be generated from the first of the
following sources that is available:
The
drag data store bitmap
, if any. In this case, the
drag data store
hot spot coordinate
should be used as hints for where to put the cursor relative to the
resulting image. The values are expressed as distances in
CSS pixels
from the left side and from the top side of the image respectively.
[CSS]
The
drag data store default feedback
From the moment that the user agent is to
initiate the drag-and-drop operation
until the end of the drag-and-drop operation, device input events (e.g. mouse and keyboard events)
must be suppressed.
During the drag operation, the element directly indicated by the user as the drop target is
called the
immediate user selection
. (Only elements can be selected by the user; other
nodes must not be made available as drop targets.) However, the
immediate user
selection
is not necessarily the
current target element
, which is the element
currently selected for the drop part of the drag-and-drop operation.
The
immediate user selection
changes as the user selects different elements
(either by pointing at them with a pointing device, or by selecting them in some other way). The
current target element
changes when the
immediate user selection
changes, based on the results of event listeners in the document, as described below.
Both the
current target element
and the
immediate user selection
can
be null, which means no target element is selected. They can also both be elements in other
(DOM-based) documents, or other (non-web) programs altogether. (For example, a user could drag
text to a word-processor.) The
current target element
is initially null.
In addition, there is also a
current drag operation
, which can take on the values
none
", "
copy
", "
link
", and "
move
". Initially, it has the value
none
". It is updated by the user agent
as described in the steps below.
User agents must, as soon as the drag operation is
initiated
and every 350ms (ยฑ200ms) thereafter for as long as the drag
operation is ongoing,
queue a task
to perform the following steps in sequence:
If the user agent is still performing the previous iteration of the sequence (if any) when
the next iteration becomes due, return for this iteration (effectively "skipping
missed frames" of the drag-and-drop operation).
Fire a DND event
named
drag
at the
source node
. If this event is canceled, the user agent must set the
current
drag operation
to "
none
" (no
drag operation).
If the
drag
event was not canceled and the user has not
ended the drag-and-drop operation, check the state of the drag-and-drop operation, as
follows:
If the user is indicating a different
immediate user selection
than during the
last iteration (or if this is the first iteration), and if this
immediate user
selection
is not the same as the
current target element
, then update the
current target element
as follows:
If the new
immediate user selection
is null
Set the
current target element
to null also.
If the new
immediate user selection
is in a non-DOM document or
application
Set the
current target element
to the
immediate user
selection
Otherwise
Fire a DND event
named
dragenter
at the
immediate user selection
If the event is canceled, then set the
current target element
to the
immediate user selection
Otherwise, run the appropriate step from the following list:
If the
immediate user selection
is a text control (e.g.,
textarea
, or an
input
element whose
type
attribute is in the
Text
state) or an
editing host
or
editable
element, and the
drag data store item list
has an item
with
the drag data item type string
text/plain
" and
the
drag data item kind
text
Set the
current target element
to the
immediate user
selection
anyway.
If the
immediate user selection
is
the body element
Leave the
current target element
unchanged.
Otherwise
Fire a DND event
named
dragenter
at
the body element
, if there is one, or at the
Document
object,
if not. Then, set the
current target element
to
the body
element
, regardless of whether that event was canceled or not.
If the previous step caused the
current target element
to change, and if the
previous target element was not null or a part of a non-DOM document, then
fire a DND
event
named
dragleave
at the previous target
element, with the new
current target element
as the specific
related
target
If the
current target element
is a DOM element, then
fire a DND
event
named
dragover
at this
current
target element
If the
dragover
event is not canceled, run the
appropriate step from the following list:
If the
current target element
is a text control (e.g.,
textarea
, or an
input
element whose
type
attribute is in the
Text
state) or an
editing host
or
editable
element, and the
drag data store item list
has an item
with
the drag data item type string
text/plain
" and
the drag
data item kind
text
Set the
current drag operation
to either "
copy
" or "
move
", as appropriate given the platform
conventions.
Otherwise
Reset the
current drag operation
to "
none
".
Otherwise (if the
dragover
event
is
canceled), set the
current drag operation
based on the values of the
effectAllowed
and
dropEffect
attributes of the
DragEvent
object's
dataTransfer
object as they stood after the event
dispatch
finished, as per the following table:
effectAllowed
dropEffect
Drag operation
uninitialized
", "
copy
", "
copyLink
", "
copyMove
", or "
all
copy
copy
uninitialized
", "
link
", "
copyLink
", "
linkMove
", or "
all
link
link
uninitialized
", "
move
", "
copyMove
", "
linkMove
", or "
all
move
move
Any other case
none
Otherwise, if the
current target element
is not a DOM element, use
platform-specific mechanisms to determine what drag operation is being performed (none, copy,
link, or move), and set the
current drag operation
accordingly.
Update the drag feedback (e.g. the mouse cursor) to match the
current drag
operation
, as follows:
Drag operation
Feedback
copy
Data will be copied if dropped here.
link
Data will be linked if dropped here.
move
Data will be moved if dropped here.
none
No operation allowed, dropping here will cancel the drag-and-drop operation.
Otherwise, if the user ended the drag-and-drop operation (e.g. by releasing the mouse button
in a mouse-driven drag-and-drop interface), or if the
drag
event was canceled, then this will be the last iteration. Run the following steps, then stop the
drag-and-drop operation:
If the
current drag operation
is "
none
" (no drag operation), or if the user
ended the drag-and-drop operation by canceling it (e.g. by hitting the
Escape
key),
or if the
current target element
is null, then the drag operation failed. Run
these substeps:
Let
dropped
be false.
If the
current target element
is a DOM element,
fire a DND
event
named
dragleave
at it; otherwise, if
it is not null, use platform-specific conventions for drag cancelation.
Set the
current drag operation
to "
none
".
Otherwise, the drag operation might be a success; run these substeps:
Let
dropped
be true.
If the
current target element
is a DOM element,
fire a DND
event
named
drop
at it; otherwise, use
platform-specific conventions for indicating a drop.
If the event is canceled, set the
current drag operation
to the value of the
dropEffect
attribute of the
DragEvent
object's
dataTransfer
object as it stood after the event
dispatch
finished.
Otherwise, the event is not canceled; perform the event's default action, which depends
on the exact target as follows:
If the
current target element
is a text control (e.g.,
textarea
, or an
input
element whose
type
attribute is in the
Text
state) or an
editing host
or
editable
element, and the
drag data store item list
has an item
with
the drag data item type string
text/plain
" and
the
drag data item kind
text
Insert the actual data of the first item in the
drag data store item
list
to have
a drag data item type
string
of "
text/plain
" and
a drag
data item kind
that is
text
into the text control or
editing host
or
editable
element in a manner consistent with
platform-specific conventions (e.g. inserting it at the current mouse cursor position, or
inserting it at the end of the field).
Otherwise
Reset the
current drag operation
to "
none
".
Fire a DND event
named
dragend
at the
source node
Run the appropriate steps from the following list as the default action of the
dragend
event:
If
dropped
is true, the
current target element
is a
text
control
(see below), the
current drag operation
is "
move
", and the source of the
drag-and-drop operation is a selection in the DOM that is entirely contained within an
editing host
Delete the selection
If
dropped
is true, the
current target element
is a
text
control
(see below), the
current drag operation
is "
move
", and the source of the
drag-and-drop operation is a selection in a text control
The user agent should delete the dragged selection from the relevant text
control.
If
dropped
is false or if the
current drag operation
is "
none
The drag was canceled. If the platform conventions dictate that this be represented to
the user (e.g. by animating the dragged selection going back to the source of the
drag-and-drop operation), then do so.
Otherwise
The event has no default action.
For the purposes of this step, a
text control
is a
textarea
element or
an
input
element whose
type
attribute is in
one of the
Text
Tel
URL
Email
Password
, or
Number
states.
User agents are encouraged to consider how to react to drags near the edge of
scrollable regions. For example, if a user drags a link to the bottom of the
viewport
on a long page, it might make sense to scroll the page so that the user can drop the link lower on
the page.
This model is independent of which
Document
object the nodes involved
are from; the events are fired as described above and the rest of the processing model runs as
described above, irrespective of how many documents are involved in the operation.
6.11.6
Events summary
This section is non-normative.
The following events are involved in the drag-and-drop
model.
Event name
Target
Cancelable?
Drag data store mode
dropEffect
Default Action
dragstart
HTMLElement/dragstart_event
Support in all current engines.
Firefox
9+
Safari
3.1+
Chrome
1+
Opera
12+
Edge
79+
Edge (Legacy)
12+
Internet Explorer
9+
Firefox Android
Safari iOS
Chrome Android
WebView Android
Samsung Internet
Opera Android
12+
Source node
โ Cancelable
Read/write mode
none
Initiate the drag-and-drop operation
drag
HTMLElement/drag_event
Support in all current engines.
Firefox
9+
Safari
3.1+
Chrome
1+
Opera
12+
Edge
79+
Edge (Legacy)
12+
Internet Explorer
9+
Firefox Android
Safari iOS
Chrome Android
WebView Android
Samsung Internet
Opera Android
12+
Source node
โ Cancelable
Protected mode
none
Continue the drag-and-drop operation
dragenter
HTMLElement/dragenter_event
Support in all current engines.
Firefox
9+
Safari
3.1+
Chrome
1+
Opera
12+
Edge
79+
Edge (Legacy)
12+
Internet Explorer
9+
Firefox Android
Safari iOS
Chrome Android
WebView Android
Samsung Internet
Opera Android
12+
Immediate user selection
or
the body element
โ Cancelable
Protected mode
Based on
effectAllowed
value
Reject
immediate user selection
as potential
target element
dragleave
HTMLElement/dragleave_event
Support in all current engines.
Firefox
9+
Safari
3.1+
Chrome
1+
Opera
12+
Edge
79+
Edge (Legacy)
12+
Internet Explorer
9+
Firefox Android
Safari iOS
Chrome Android
WebView Android
Samsung Internet
Opera Android
12+
Previous target element
Protected mode
none
None
dragover
HTMLElement/dragover_event
Support in all current engines.
Firefox
9+
Safari
3.1+
Chrome
1+
Opera
12+
Edge
79+
Edge (Legacy)
12+
Internet Explorer
9+
Firefox Android
Safari iOS
Chrome Android
WebView Android
Samsung Internet
Opera Android
12+
Current target element
โ Cancelable
Protected mode
Based on
effectAllowed
value
Reset the
current drag operation
to "none"
drop
HTMLElement/drop_event
Support in all current engines.
Firefox
9+
Safari
3.1+
Chrome
1+
Opera
12+
Edge
79+
Edge (Legacy)
12+
Internet Explorer
9+
Firefox Android
Safari iOS
Chrome Android
WebView Android
Samsung Internet
Opera Android
12+
Current target element
โ Cancelable
Read-only mode
Current drag operation
Varies
dragend
HTMLElement/dragend_event
Support in all current engines.
Firefox
9+
Safari
3.1+
Chrome
1+
Opera
12+
Edge
79+
Edge (Legacy)
12+
Internet Explorer
9+
Firefox Android
Safari iOS
Chrome Android
WebView Android
Samsung Internet
Opera Android
12+
Source node
Protected mode
Current drag operation
Varies
All of these events bubble, are composed, and the
effectAllowed
attribute always has the value it had
after the
dragstart
event, defaulting to "
uninitialized
" in the
dragstart
event.
6.11.7
The
draggable
attribute
Global_attributes/draggable
Support in all current engines.
Firefox
2+
Safari
5+
Chrome
4+
Opera
12+
Edge
79+
Edge (Legacy)
12+
Internet Explorer
Yes
Firefox Android
Safari iOS
Chrome Android
WebView Android
Samsung Internet
Opera Android
All
HTML elements
may have the
draggable
content attribute set. The
draggable
attribute is an
enumerated attribute
with
the following keywords and states:
Keyword
State
Brief description
true
True
The element will be draggable.
false
False
The element will not be draggable.
The attribute's
missing value default
and
invalid value default
are both the
Auto
state. The auto state uses the default behavior of
the user agent.
An element with a
draggable
attribute should also have a
title
attribute that names the element for the purpose of
non-visual interactions.
element
draggable
[ =
value
Returns true if the element is draggable; otherwise, returns false.
Can be set, to override the default and set the
draggable
content attribute.
The
draggable
IDL
attribute, whose value depends on the content attribute's in the way described below, controls
whether or not the element is draggable. Generally, only text selections are draggable, but
elements whose
draggable
IDL attribute is true become
draggable as well.
If an element's
draggable
content attribute has the state
True
, the
draggable
IDL attribute must return true.
Otherwise, if the element's
draggable
content attribute
has the state
False
, the
draggable
IDL attribute must return false.
Otherwise, the element's
draggable
content attribute has
the state
Auto
. If the element is an
img
element, an
object
element that
represents
an image, or
an
element with an
href
content
attribute, the
draggable
IDL attribute must return true;
otherwise, the
draggable
IDL attribute must return false.
If the
draggable
IDL attribute is set to the value false,
the
draggable
content attribute must be set to the literal
value "
false
". If the
draggable
IDL
attribute is set to the value true, the
draggable
content
attribute must be set to the literal value "
true
".
6.11.8
Security risks in the drag-and-drop model
User agents must not make the data added to the
DataTransfer
object during the
dragstart
event available to scripts until the
drop
event, because otherwise, if a user were to drag sensitive
information from one document to a second document, crossing a hostile third document in the
process, the hostile document could intercept the data.
For the same reason, user agents must consider a drop to be successful only if the user
specifically ended the drag operation โ if any scripts end the drag operation, it must be
considered unsuccessful (canceled) and the
drop
event must not be
fired.
User agents should take care to not start drag-and-drop operations in response to script
actions. For example, in a mouse-and-window environment, if a script moves a window while the user
has their mouse button depressed, the UA would not consider that to start a drag. This is important
because otherwise UAs could cause data to be dragged from sensitive sources and dropped into
hostile documents without the user's consent.
User agents should filter potentially active (scripted) content (e.g. HTML) when it is dragged
and when it is dropped, using a safelist of known-safe features. Similarly,
relative URLs
should be turned into absolute URLs to avoid references changing in
unexpected ways. This specification does not specify how this is performed.
Consider a hostile page providing some content and getting the user to select and drag and
drop (or indeed, copy and paste) that content to a victim page's
contenteditable
region. If the browser does not ensure that
only safe content is dragged, potentially unsafe content such as scripts and event handlers in
the selection, once dropped (or pasted) into the victim site, get the privileges of the victim
site. This would thus enable a cross-site scripting attack.