[whatwg] Potenial Security Problem in Global Storage Specification

Ian Hickson ian at hixie.ch
Wed May 30 22:37:25 PDT 2007

On Thu, 31 May 2007, Jerason Banes wrote:
> I was just comparing the Storage API with that of the Google 
> Gears<http://gears.google.com>, and something jumped out at me. 
> According to the spec, browsers should allow a webapp to store data in 
> the globalStorage object with no domain attached. (i.e. 
> globalStorage['']) This is intended to allow data to be shared across 
> all webpages.
> My concern is that this poses a problem for the user's privacy.

Yeah, this is mentioned in the security section:


...along with recommended solutions to mitigate it.

Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

More information about the whatwg mailing list