W3C home > Mailing lists > Public > public-webapps@w3.org > July to September 2009

Re: Is localStorage read and write-able offlne?

From: João Eiras <joaoe@opera.com>
Date: Fri, 31 Jul 2009 14:18:25 +0100
To: "Jeremy Orlow" <jorlow@chromium.org>, "public-webapps@w3.org" <public-webapps@w3.org>
Message-ID: <op.uxxokzuz2q99of@coruscant>

> Everything in file:// is the same origin.  I think Mozilla has
> been experimenting with changing this, but I can't remember how they handle
> localStorage (if it's even different at all).
>

No. Everything on file:// has the origin defined by the origin serialization algorithm.
http://dev.w3.org/html5/spec/Overview.html#origin
The spec tells "If scheme is "file", then the user agent may return a UA-specific value."
In Opera's case we use file://machine/ where machine can be localhost, an ip, or a remote computer with a shared folder.
If you're on a local network which cannot be fully trusted, accessing a page at file://peer/ that manages to access your local harddrive is as serious as a cross-domain attack, or even more.
So saying that everything on file has origin file:// is a misconception of the problem origin tries to solve.
Received on Friday, 31 July 2009 13:19:09 GMT

This archive was generated by hypermail 2.3.1 : Tuesday, 26 March 2013 18:49:33 GMT