Imagine permitting cross-origin drag-n-drop and a page is clickjacked: the user may end up dragging a sensitive item in the clickjacked page into an invisible iframe with a drop point layered on top of whatever target the user thinks they're dropping data into, and the end result would be that data intended for one endpoint, in this case the endpoint that was clickjacked, is sent to another.
It'd be a nontrivial attack to mount, but as you posed the challenge, I can see it done as part of e.g. a phish where a site like dropbox is iframed in a clickjacking attack (assuming they haven't mitigated it).
I can sketch (literally) what the dom might physically look like if it helps convey the attack I have in mind more effectively.
Imagine permitting cross-origin drag-n-drop and a page is clickjacked: the user may end up dragging a sensitive item in the clickjacked page into an invisible iframe with a drop point layered on top of whatever target the user thinks they're dropping data into, and the end result would be that data intended for one endpoint, in this case the endpoint that was clickjacked, is sent to another.
It'd be a nontrivial attack to mount, but as you posed the challenge, I can see it done as part of e.g. a phish where a site like dropbox is iframed in a clickjacking attack (assuming they haven't mitigated it).
I can sketch (literally) what the dom might physically look like if it helps convey the attack I have in mind more effectively.