[whatwg] Should DOM storage objects be mapped by an "effective script origin" rather then just an "origin"?

Anne van Kesteren annevk at opera.com
Tue May 26 02:26:43 PDT 2009


On Tue, 26 May 2009 09:31:15 +0200, Honza Bambas <honzab at allpeers.com> wrote:
> See also mozilla bug https://bugzilla.mozilla.org/show_bug.cgi?id=494799
>
> Effective script origin driven by document.domain is used to allow
> sharing of properties and data among pages coming from different
> subdomains. Should this "data sharing" apply also to sessionStorage and
> localStorage? It means: having page load from http://test.mysite.com
> accessing sessionStorage would get sessionStorage bound to
> http://test.mysite.com. When that same page than changes document.domain
> to http://mysite.com, sessionStorage it gets now should be a different
> object, bound to http://mysite.com. A reason to do this is also because
> of security checking. The subject's origin changes to http://mysite.com
> and access to sessionStorage bound to http://test.mysite.com should not
> be allowed (origins are not equal).
>
> Opinions?

I'd rather not leak document.domain leak more than necessary. Especially with it being bound to the Public Suffix List. If you want to communicate across origins you can always use postMessage().


-- 
Anne van Kesteren
http://annevankesteren.nl/


More information about the whatwg mailing list