[whatwg] [Web-storage] subdomains / cooperation and limits

Brian Kardell bkardell at gmail.com
Mon Sep 17 15:00:01 PDT 2012


On Sep 17, 2012 5:22 PM, "Ian Hickson" <ian at hixie.ch> wrote:
>
> On Mon, 17 Sep 2012, Brian Kardell wrote:
> >
> > Essentially, x.wordpress.com and y.wordpress.com both allocate and use
> > space - no problem, right?  Access is subject to the browsers -general-
> > [same-origin policy], (leaving aside the ability to document.domain up
> > one), right?  If I have two affliate sites who communicate across an
> > explicit trust via postMessage - is this problematic?  I thought not,
> > and it doesn't seem to be - further - I cannot imagine how it could work
> > otherwise and still be useful for a host of common cases (like the
> > wordpress one I mentioned above).  I have been told that the draft
> > contradicts my understanding, but I don't think so.
>
> I don't really understand your question, but does this answer it?:
>
>
http://www.whatwg.org/specs/web-apps/current-work/multipage/webstorage.html#disk-space-0
>
> --
> Ian Hickson               U+1047E                )\._.,--....,'``.    fL
> http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
> Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Ian, you hit the nail on the head with the text section that raised the
issue but I still am not entirely sure that I understand... Doesn't this
imply that in a case like *.wordpress.com would have a (suggested) limit of
5mb combined for all of its tons and tons of subdomains (at least without
additional/constant prompting)?  There are a whole lot of what I would call
"common" examples like where it seems (to me anyway) unintuitive given the
regularity with which this kind of case would happen to think that that is
what is actually proposed.  If so, I guess I am looking for some kind of
explanation which I haven't really been able to find to help me understand
how that came about.   I can understand blocking access to that data pretty
easily, but with postMessage, being in the same top-level domain doesn't
even matter so it seems that one could just as easily "subvert the limit"
that way.

I think it isn't really implemented that way anywhere though, is it?   That
is, do browsers really share the limit across subdomains like that... am I
just completely misunderstanding what that section is saying?



More information about the whatwg mailing list