ACTION-438 Question about possibility of cross-site data sharing in Web Storage from Ashok Malhotra on 2010-06-15 (public-webapps@w3.org from April to June 2010)

From: Ashok Malhotra <ASHOK.MALHOTRA@oracle.com>
Date: Tue, 15 Jun 2010 04:11:01 -0700 (PDT)
To: <public-webapps@w3.org>
Cc: Www-Tag <www-tag@w3.org>
Message-ID: <681976d1-18bf-42e8-b54a-34ad1e22877b@default>

At the TAG f2f meeting last week we discussed the Web Storage (http://dev.w3.org/html5/webstorage/) draft.  As you know, Web Storage provides storage mechanisms (local storage and session storage) by origin.  This led us to conclude that it supports the same-origin policy.  But section 6.1 contains the sentence “User agents may allow sites to access session storage areas in an unrestricted manner, but require the user to authorize access to local storage areas.”   This prompted some of us to speculate that a door is being left open for cross-site information sharing in the manner of CORS (http://www.w3.org/TR/access-control/)or UMP(http://www.w3.org/TR/UMP/).

Would you agree that this reading between the lines is justified?

Received on Tuesday, 15 June 2010 11:11:46 UTC