webstorage/Overview.html 1.1 Extract Web Sockets, Event Source, and Web from poot on 2009-03-18 (public-html-diffs@w3.org from March 2009)

From: poot <cvsmail@w3.org>
Date: Thu, 19 Mar 2009 04:36:19 +0900 (JST)
To: public-html-diffs@w3.org
Message-Id: <20090318193619.E0E392BC3B@toro.w3.mag.keio.ac.jp>
Extract Web Sockets, Event Source, and Web Storage out of HTML5.

References
http://people.w3.org/mike/diffs/html5/spec/webstorage/Overview.1.1.html#references
7.4 SQL and user agents
http://people.w3.org/mike/diffs/html5/spec/webstorage/Overview.1.1.html#sql-and-user-agents
7.5 SQL injection
http://people.w3.org/mike/diffs/html5/spec/webstorage/Overview.1.1.html#sql-injection

http://people.w3.org/mike/diffs/html5/spec/webstorage/Overview.diff.html
http://dev.w3.org/cvsweb/html5/spec/webstorage/Overview.html?r1=NONE&r2=1.1&f=h

<!DOCTYPE html><!-- when publishing, change bits marked ZZZ --><html lang=en-US-x-Hixie><meta charset=ascii><title>Web Storage</title><style type=text/css>
   pre { margin-left: 2em; white-space: pre-wrap; }
   h2 { margin: 3em 0 1em 0; }
   h3 { margin: 2.5em 0 1em 0; }
   h4 { margin: 2.5em 0 0.75em 0; }
   h5, h6 { margin: 2.5em 0 1em; }
   h1 + h2, h1 + h2 + h2 { margin: 0.75em 0 0.75em; }
   h2 + h3, h3 + h4, h4 + h5, h5 + h6 { margin-top: 0.5em; }
   p { margin: 1em 0; }
   hr:not(.top) { display: block; background: none; border: none; padding: 0; margin: 2em 0; height: auto; }
   dl, dd { margin-top: 0; margin-bottom: 0; }
   dt { margin-top: 0.75em; margin-bottom: 0.25em; clear: left; }
   dt + dt { margin-top: 0; }
   dd dt { margin-top: 0.25em; margin-bottom: 0; }
   dd p { margin-top: 0; }
   dd dl + p { margin-top: 1em; }
   dd table + p { margin-top: 1em; }
   p + * > li, dd li { margin: 1em 0; }
   dt, dfn { font-weight: bold; font-style: normal; }
[...1097 lines suppressed...]
  read from their domain causes <em>information leakage</em>, For
  example, a user's shopping wishlist on one domain could be used by
  another domain for targeted advertising; or a user's
  work-in-progress confidential documents stored by a word-processing
  site could be examined by the site of a competing company.<p>Letting third-party sites write data to the storage areas of
  other domains can result in <em>information spoofing</em>, which is
  equally dangerous. For example, a hostile site could add items to a
  user's wishlist; or a hostile site could set a user's session
  identifier to a known ID that the hostile site can then use to track
  the user's actions on the victim site.<p>Thus, strictly following the <span>origin</span> model described
  in this specification is important for user security.<h3 id=sql-and-user-agents><span class=secno>7.4 </span>SQL and user agents</h3><p>User agent implementors are strongly encouraged to audit all
  their supported SQL statements for security implications. For
  example, <code title="">LOAD DATA INFILE</code> is likely to pose
  security risks and there is little reason to support it.<p>In general, it is recommended that user agents not support
  features that control how databases are stored on disk. For example,
  there is little reason to allow Web authors to control the character
  encoding used in the disk representation of the data, as all data in
  ECMAScript is implicitly UTF-16.<h3 id=sql-injection><span class=secno>7.5 </span>SQL injection</h3><p>Authors are strongly recommended to make use of the <code title="">?</code> placeholder feature of the <code title=dom-sqltransaction-executeSql><a href=#dom-sqltransaction-executesql>executeSql()</a></code> method,
  and to never construct SQL statements on the fly.<h2 class=no-num id=references>References</h2><p class=big-issue>This section will be written in a future
  draft.<!--XXX-->
Received on Wednesday, 18 March 2009 19:36:56 UTC