[whatwg] Client-side database and origins
Ian Hickson
ian at hixie.ch
Wed Oct 3 12:32:25 PDT 2007
On Wed, 3 Oct 2007, Brady Eidson wrote:
>
> To me, this implies that a page hosted at "http://www.foo.com:80/user1"
> has access to all databases that were created by
> "http://www.foo.com:80/user2"
Correct.
> Even if the page at "http://www.foo.com:80/user1" needs to know the
> database name and the correct version from http://www.foo.com:80/user2",
> this seems like a glaring security issue.
Even if we limited it to paths, it would still be possible to access the
database. Since JavaScript same-origin checks aren't based on paths, you'd
just need to create an <iframe> to a page under /user2 and then inject
whatever script you wanted. The injected script would run under the /user2
origin, and would thus give you access to the database.
--
Ian Hickson U+1047E )\._.,--....,'``. fL
http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,.
Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
More information about the whatwg
mailing list