<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
</head>
<body bgcolor="#ffffff" text="#000099">
See also mozilla bug <a moz-do-not-send="true"
class="moz-txt-link-freetext"
href="https://bugzilla.mozilla.org/show_bug.cgi?id=494799">https://bugzilla.mozilla.org/show_bug.cgi?id=494799</a><br>
<br>
Effective script origin driven by document.domain is used to allow
sharing of properties and data among pages coming from different
subdomains. Should this "data sharing" apply also to sessionStorage and
localStorage? It means: having page load from <a moz-do-not-send="true"
class="moz-txt-link-freetext" href="http://test.mysite.com">http://test.mysite.com</a>
accessing sessionStorage would get sessionStorage bound to
<a moz-do-not-send="true" class="moz-txt-link-freetext"
href="http://test.mysite.com">http://test.mysite.com</a>. When that
same page than changes
document.domain to <a moz-do-not-send="true"
class="moz-txt-link-freetext" href="http://mysite.com">http://mysite.com</a>,
sessionStorage it gets now should
be a different object, bound to <a moz-do-not-send="true"
class="moz-txt-link-freetext" href="http://mysite.com">http://mysite.com</a>.
A reason to do this
is also because of security checking. The subject's origin changes to
<a moz-do-not-send="true" class="moz-txt-link-freetext"
href="http://mysite.com">http://mysite.com</a> and access to
sessionStorage bound to
<a moz-do-not-send="true" class="moz-txt-link-freetext"
href="http://test.mysite.com">http://test.mysite.com</a> should not be
allowed (origins are not equal).<br>
<br>
Opinions?<br>
<br>
</body>
</html>