[whatwg] Should DOM storage objects be mapped by an "effective script origin" rather then just an "origin"?

Anne van Kesteren annevk at opera.com
Tue May 26 02:26:43 PDT 2009

On Tue, 26 May 2009 09:31:15 +0200, Honza Bambas <honzab at allpeers.com> wrote:
> See also mozilla bug https://bugzilla.mozilla.org/show_bug.cgi?id=494799
> Effective script origin driven by document.domain is used to allow
> sharing of properties and data among pages coming from different
> subdomains. Should this "data sharing" apply also to sessionStorage and
> localStorage? It means: having page load from http://test.mysite.com
> accessing sessionStorage would get sessionStorage bound to
> http://test.mysite.com. When that same page than changes document.domain
> to http://mysite.com, sessionStorage it gets now should be a different
> object, bound to http://mysite.com. A reason to do this is also because
> of security checking. The subject's origin changes to http://mysite.com
> and access to sessionStorage bound to http://test.mysite.com should not
> be allowed (origins are not equal).
> Opinions?

I'd rather not leak document.domain leak more than necessary. Especially with it being bound to the Public Suffix List. If you want to communicate across origins you can always use postMessage().

Anne van Kesteren

More information about the whatwg mailing list