[whatwg] Potenial Security Problem in Global Storage Specification
Ian Hickson
ian at hixie.ch
Wed May 30 22:37:25 PDT 2007
On Thu, 31 May 2007, Jerason Banes wrote:
>
> I was just comparing the Storage API with that of the Google
> Gears<http://gears.google.com>, and something jumped out at me.
> According to the spec, browsers should allow a webapp to store data in
> the globalStorage object with no domain attached. (i.e.
> globalStorage['']) This is intended to allow data to be shared across
> all webpages.
>
> My concern is that this poses a problem for the user's privacy.
Yeah, this is mentioned in the security section:
http://www.whatwg.org/specs/web-apps/current-work/#security5
...along with recommended solutions to mitigate it.
--
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
More information about the whatwg
mailing list