[whatwg] Potenial Security Problem in Global Storage Specification

Ian Hickson ian at hixie.ch
Wed May 30 22:37:25 PDT 2007


On Thu, 31 May 2007, Jerason Banes wrote:
> 
> I was just comparing the Storage API with that of the Google 
> Gears<http://gears.google.com>, and something jumped out at me. 
> According to the spec, browsers should allow a webapp to store data in 
> the globalStorage object with no domain attached. (i.e. 
> globalStorage['']) This is intended to allow data to be shared across 
> all webpages.
>
> My concern is that this poses a problem for the user's privacy.

Yeah, this is mentioned in the security section:

   http://www.whatwg.org/specs/web-apps/current-work/#security5

...along with recommended solutions to mitigate it.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'



More information about the whatwg mailing list