[whatwg] Potenial Security Problem in Global Storage Specification

Gervase Markham gerv at mozilla.org
Mon Jun 4 04:51:55 PDT 2007


Jerason Banes wrote:
> That effectively restricts the storage to a single domain and is in line 
> with how cookies work today.

Yes, it does. But I don't think I have been insufficiently clear.

My issue is not with the idea of DOM Storage as a whole, but with the 
idea of sharing information across sites - which requires this global 
storage.

> I wasn't able to find any docs that describe the Storage security model 
> used in Gecko, so I ran a few tests. What I found was that any attempt 
> to access globalStorage[''] or globalStorage['com'] from the context of 
> a website resulted in a security error. You can try the test for 
> yourself here:
> 
> http://java.dnsalias.com/temp/storage.html

I suspect it might use, or be planning to use, the Effective TLD 
service, which provides information necessary to implement the scheme 
you referenced above.

>     Is there a document somewhere outlining the actual benefits of this
>     feature, even as potentially restricted?
> 
> The specification has this explanation: "Web applications may wish to 
> store megabytes of user data, such as entire user-authored documents or 
> a user's mailbox, on the clientside for performance reasons."

To restate more clearly: "Is there a document somewhere outlining the 
actual benefits of being able to share data across domains?"

Gerv



More information about the whatwg mailing list