Re: [whatwg] iframe sandbox and indexedDB

On Mon, Aug 6, 2012 at 5:08 PM, Ian Melven <imelven@mozilla.com> wrote:
> the spec at http://www.whatwg.org/specs/web-apps/current-work/multipage/origin-0.html#sandboxed-origin-browsing-context-flag
> says :
>
> "This flag also prevents script from reading from or writing to the document.cookie IDL attribute, and blocks access to localStorage."
>
> it seems that indexedDB access should also be blocked when this flag is set (ie when 'allow-same-origin' is NOT specified for the sandbox attribute).

Yes.  I think this is actually a consequence of having a unique origin
and doesn't need to be stated explicitly in the spec.  (Although we
might want to state it explicitly for the avoidance of doubt.)

The reason document.cookie needs to called out explicitly is that it
doesn't use the document's origin to determine which cookies to
access: it uses the document's URL.  We need to do that because cookie
ignore the port but do care about the path part of the document's URL.
 (The better pattern for new API is to use the origin, which is what
IndexedDB does.)

> i intend to implement this restriction in Gecko, feedback from other implementors is welcome :)

Great.

Adam

Received on Tuesday, 7 August 2012 00:13:44 UTC