[whatwg] Potenial Security Problem in Global Storage Specification
ian at hixie.ch
Wed May 30 22:37:25 PDT 2007
On Thu, 31 May 2007, Jerason Banes wrote:
> I was just comparing the Storage API with that of the Google
> Gears<http://gears.google.com>, and something jumped out at me.
> According to the spec, browsers should allow a webapp to store data in
> the globalStorage object with no domain attached. (i.e.
> globalStorage['']) This is intended to allow data to be shared across
> all webpages.
> My concern is that this poses a problem for the user's privacy.
Yeah, this is mentioned in the security section:
...along with recommended solutions to mitigate it.
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
More information about the whatwg