W3C home > Mailing lists > Public > whatwg@whatwg.org > October 2007

[whatwg] Client-side database and origins

From: Brady Eidson <beidson@apple.com>
Date: Wed, 3 Oct 2007 12:27:59 -0700
Message-ID: <3085E246-CBA9-44C8-9569-6156C1D87C72@apple.com>
The spec at http://www.whatwg.org/specs/web-apps/current-work/multipage/section-sql.html#sql 
  states that "Each origin has an associated set of databases."

Origins are described at http://www.whatwg.org/specs/web-apps/current-work/multipage/section-scripting.html#origin0 
  and basically boil down to <scheme>,<host>,<port>

To me, this implies that a page hosted at "http://www.foo.com:80/ 
user1" has access to all databases that were created by "http://www.foo.com:80/user2 

Even if the page at "http://www.foo.com:80/user1" needs to know the  
database name and the correct version from http://www.foo.com:80/ 
user2", this seems like a glaring security issue.

Am I misreading the spec or missing some other detail that would  
prevent this hole?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20071003/68d8375e/attachment.htm>
Received on Wednesday, 3 October 2007 12:27:59 UTC

This archive was generated by hypermail 2.3.1 : Monday, 13 April 2015 23:08:37 UTC