Classical clickjacking just makes you click a button, but there are also attacks that require you to perform drag-and-drop actions – for example if someone wants to make you set a new email for your account or if someone wants to make you extract the contents of your calendar to his website. The chromium guys decided that this shouldn't be possible because you need cross-origin drag-and-drop approximately never, so they filed a webkit bug (which is still restricted at the time I'm writing this) and patched that possibility away. Now you can't drop between different origins anymore in Chromium.

Except that there's a tiny detail that weakens the security a lot: If there is a page from domain A which embeds pages B1 and B2 from domain B, drag-and-drop is still allowed between B1 and B2. So, the attacking website A first loads the page it wants to attack (B1) into one frame. Let's say page A wants to make you set a new password for your account. This means that it needs frame B2 to display the email address it wants to set. Well, no problem – it just navigates frame B2 to http://victimdomain/search.cgi? B2 then shows something like this:

Query: Your search for "" did not return any results. Maybe you want kitten pictures instead?

So the attacker can basically do the same attack as without that defense measure the chromium devs introduced, he just needs to do a bit more work.

That was for inserting data, what about extracting it? That might also be possible. A document sharing website might let you drag the data into another document. A "social" webservice might have an "email to a friend" option in which you can attach a "personal message" or so. A webmailer might let you send out the data via an email. To cut it short, the larger your webapp is, the higher the probability that there's some way to extract data.

So, what's the lesson from this? Chromium has a nice last line of defense there, but you shouldn't rely on it.