[whatwg] Potenial Security Problem in Global Storage Specification
Gervase Markham
gerv at mozilla.org
Mon Jun 4 04:51:55 PDT 2007
Jerason Banes wrote:
> That effectively restricts the storage to a single domain and is in line
> with how cookies work today.
Yes, it does. But I don't think I have been insufficiently clear.
My issue is not with the idea of DOM Storage as a whole, but with the
idea of sharing information across sites - which requires this global
storage.
> I wasn't able to find any docs that describe the Storage security model
> used in Gecko, so I ran a few tests. What I found was that any attempt
> to access globalStorage[''] or globalStorage['com'] from the context of
> a website resulted in a security error. You can try the test for
> yourself here:
>
> http://java.dnsalias.com/temp/storage.html
I suspect it might use, or be planning to use, the Effective TLD
service, which provides information necessary to implement the scheme
you referenced above.
> Is there a document somewhere outlining the actual benefits of this
> feature, even as potentially restricted?
>
> The specification has this explanation: "Web applications may wish to
> store megabytes of user data, such as entire user-authored documents or
> a user's mailbox, on the clientside for performance reasons."
To restate more clearly: "Is there a document somewhere outlining the
actual benefits of being able to share data across domains?"
Gerv
More information about the whatwg
mailing list