[whatwg] Some comments/questions on database storage

Ralf Stoltze ralf.stoltze at 2meter3.de
Mon Feb 25 12:56:02 PST 2008

- In 4.3.2, the spec defines the concept of origin, with respect to
script elements. However, the term is also used in combination with
browsing contexts and databases. 4.11.2 says: "Each origin has an
associated set of databases."

So what is the origin of a database?
- the originating host of the script which creates a database?
- the origin of the document that script belongs to?

- From 4.11.2:
"Otherwise, if the database provided is the empty string, [...]"

I think this must read "the database version provided".

- 4.11.3 defines that placeholders simply have to be replaced with
values from the arguments array. As I understand, this does not per se
ban SQL injections. Will the spec define *how* to replace placeholders,
including how to escape and quote values?

- From 4.11.3:
"A mostly arbitrary limit of five megabytes per origin is recommended."

The session/local storage part defines a quota on a per domain basis. Is
there any reason for this inconsistency (since both specs are now based
on the origin model)? Circumventing origin restrictions with subdomains
is the same for local storage and database storage.

- From 4.11.4:
"If no rows were returned, then the object will be empty."

What does emtpy mean? Getting an SQLResultSetRowList that does neither
have a length attribute nor an item() method?

- From 4.11.6, step 6:
"Each statement has a statement, a result set callback, and optionally
an error callback."

That looks like the result set callback is mandatory, which is not (from
the interface definition).

- I've seen some discussion on this list regarding the order of
execution of statements within one transaction. However, I believe that
this was related to an older version of the spec (which had implicit

Based on 4.11.6, step 6.7, I assume the following snippet to always
execute in order 1, 2, 3?

db.transaction(function(tx) {
  tx.executeSql('query 1', null, function(tx, rs) {
    tx.executeSql('query 2', null, function(tx, rs) {
  tx.executeSql('query 3', null, function(tx, rs) {

- Small typo in 4.11.5: "dependending"

- From 4.11.7:
"In contrast with the localStorage feature, which intentionally allows
data to be accessed across multiple domains, protocols, and ports
(albeit in a controlled fashion), [...]"

Is this still true? My understanding of the current version is that
third-party scripts can access the localStorage associated with the
origin of the document they are belonging to, but not any other.

- cont'd:
"this database feature is limited to scripts running with the same
origin as the database."

Seems like my English is too limited here. What does "running with"
- the originating host of the script?
- the origin of the document that script belongs to?

Again, this comes down to defining the origin of a database.


More information about the whatwg mailing list