[whatwg] Client-side database and origins

Brady Eidson beidson at apple.com
Wed Oct 3 12:27:59 PDT 2007

The spec at http://www.whatwg.org/specs/web-apps/current-work/multipage/section-sql.html#sql 
  states that "Each origin has an associated set of databases."

Origins are described at http://www.whatwg.org/specs/web-apps/current-work/multipage/section-scripting.html#origin0 
  and basically boil down to <scheme>,<host>,<port>

To me, this implies that a page hosted at "http://www.foo.com:80/ 
user1" has access to all databases that were created by "http://www.foo.com:80/user2 

Even if the page at "http://www.foo.com:80/user1" needs to know the  
database name and the correct version from http://www.foo.com:80/ 
user2", this seems like a glaring security issue.

Am I misreading the spec or missing some other detail that would  
prevent this hole?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20071003/68d8375e/attachment-0001.htm>

More information about the whatwg mailing list