[whatwg] Client-side database and origins from Ian Hickson on 2007-10-03 (public-whatwg-archive@w3.org from October 2007)

From: Ian Hickson <ian@hixie.ch>
Date: Wed, 3 Oct 2007 19:32:25 +0000 (UTC)
Message-ID: <Pine.LNX.4.62.0710031930280.4889@hixie.dreamhostps.com>

On Wed, 3 Oct 2007, Brady Eidson wrote:
> 
> To me, this implies that a page hosted at "http://www.foo.com:80/user1" 
> has access to all databases that were created by 
> "http://www.foo.com:80/user2"

Correct.

> Even if the page at "http://www.foo.com:80/user1" needs to know the 
> database name and the correct version from http://www.foo.com:80/user2", 
> this seems like a glaring security issue.

Even if we limited it to paths, it would still be possible to access the 
database. Since JavaScript same-origin checks aren't based on paths, you'd 
just need to create an <iframe> to a page under /user2 and then inject 
whatever script you wanted. The injected script would run under the /user2 
origin, and would thus give you access to the database.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Wednesday, 3 October 2007 12:32:25 UTC