[whatwg] Should DOM storage objects be mapped by an "effective script origin" rather then just an "origin"?

Honza Bambas honzab at allpeers.com
Tue May 26 00:31:15 PDT 2009


See also mozilla bug https://bugzilla.mozilla.org/show_bug.cgi?id=494799

Effective script origin driven by document.domain is used to allow 
sharing of properties and data among pages coming from different 
subdomains. Should this "data sharing" apply also to sessionStorage and 
localStorage? It means: having page load from http://test.mysite.com 
accessing sessionStorage would get sessionStorage bound to 
http://test.mysite.com. When that same page than changes document.domain 
to http://mysite.com, sessionStorage it gets now should be a different 
object, bound to http://mysite.com. A reason to do this is also because 
of security checking. The subject's origin changes to http://mysite.com 
and access to sessionStorage bound to http://test.mysite.com should not 
be allowed (origins are not equal).

Opinions?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20090526/311f561d/attachment-0002.htm>


More information about the whatwg mailing list