W3C home > Mailing lists > Public > whatwg@whatwg.org > May 2009

[whatwg] Should DOM storage objects be mapped by an "effective script origin" rather then just an "origin"?

From: Anne van Kesteren <annevk@opera.com>
Date: Tue, 26 May 2009 11:26:43 +0200
Message-ID: <op.uui5utrl64w2qv@annevk-t60>
On Tue, 26 May 2009 09:31:15 +0200, Honza Bambas <honzab at allpeers.com> wrote:
> See also mozilla bug https://bugzilla.mozilla.org/show_bug.cgi?id=494799
>
> Effective script origin driven by document.domain is used to allow
> sharing of properties and data among pages coming from different
> subdomains. Should this "data sharing" apply also to sessionStorage and
> localStorage? It means: having page load from http://test.mysite.com
> accessing sessionStorage would get sessionStorage bound to
> http://test.mysite.com. When that same page than changes document.domain
> to http://mysite.com, sessionStorage it gets now should be a different
> object, bound to http://mysite.com. A reason to do this is also because
> of security checking. The subject's origin changes to http://mysite.com
> and access to sessionStorage bound to http://test.mysite.com should not
> be allowed (origins are not equal).
>
> Opinions?

I'd rather not leak document.domain leak more than necessary. Especially with it being bound to the Public Suffix List. If you want to communicate across origins you can always use postMessage().


-- 
Anne van Kesteren
http://annevankesteren.nl/
Received on Tuesday, 26 May 2009 02:26:43 UTC

This archive was generated by hypermail 2.3.1 : Monday, 13 April 2015 23:08:49 UTC