[whatwg] Client-side database and origins

Ian Hickson ian at hixie.ch
Wed Oct 3 12:32:25 PDT 2007


On Wed, 3 Oct 2007, Brady Eidson wrote:
> 
> To me, this implies that a page hosted at "http://www.foo.com:80/user1" 
> has access to all databases that were created by 
> "http://www.foo.com:80/user2"

Correct.


> Even if the page at "http://www.foo.com:80/user1" needs to know the 
> database name and the correct version from http://www.foo.com:80/user2", 
> this seems like a glaring security issue.

Even if we limited it to paths, it would still be possible to access the 
database. Since JavaScript same-origin checks aren't based on paths, you'd 
just need to create an <iframe> to a page under /user2 and then inject 
whatever script you wanted. The injected script would run under the /user2 
origin, and would thus give you access to the database.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'



More information about the whatwg mailing list