[whatwg] Client-side database and origins
Brady Eidson
beidson at apple.com
Wed Oct 3 12:27:59 PDT 2007
The spec at http://www.whatwg.org/specs/web-apps/current-work/multipage/section-sql.html#sql
states that "Each origin has an associated set of databases."
Origins are described at http://www.whatwg.org/specs/web-apps/current-work/multipage/section-scripting.html#origin0
and basically boil down to <scheme>,<host>,<port>
To me, this implies that a page hosted at "http://www.foo.com:80/
user1" has access to all databases that were created by "http://www.foo.com:80/user2
"
Even if the page at "http://www.foo.com:80/user1" needs to know the
database name and the correct version from http://www.foo.com:80/
user2", this seems like a glaring security issue.
Am I misreading the spec or missing some other detail that would
prevent this hole?
Thanks,
Brady
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20071003/68d8375e/attachment-0001.htm>
More information about the whatwg
mailing list