- From: Ian Hickson via cvs-syncmail <cvsmail@w3.org>
- Date: Wed, 18 Mar 2009 19:35:37 +0000
- To: public-html-commits@w3.org
Update of /sources/public/html5/spec/webstorage
In directory hutz:/tmp/cvs-serv4694/webstorage
Added Files:
Overview.html
Log Message:
Extract Web Sockets, Event Source, and Web Storage out of HTML5.
--- NEW FILE: Overview.html ---
<!DOCTYPE html><!-- when publishing, change bits marked ZZZ --><html lang=en-US-x-Hixie><meta charset=ascii><title>Web Storage</title><style type=text/css>
pre { margin-left: 2em; white-space: pre-wrap; }
h2 { margin: 3em 0 1em 0; }
h3 { margin: 2.5em 0 1em 0; }
h4 { margin: 2.5em 0 0.75em 0; }
h5, h6 { margin: 2.5em 0 1em; }
h1 + h2, h1 + h2 + h2 { margin: 0.75em 0 0.75em; }
h2 + h3, h3 + h4, h4 + h5, h5 + h6 { margin-top: 0.5em; }
p { margin: 1em 0; }
hr:not(.top) { display: block; background: none; border: none; padding: 0; margin: 2em 0; height: auto; }
dl, dd { margin-top: 0; margin-bottom: 0; }
dt { margin-top: 0.75em; margin-bottom: 0.25em; clear: left; }
dt + dt { margin-top: 0; }
dd dt { margin-top: 0.25em; margin-bottom: 0; }
dd p { margin-top: 0; }
dd dl + p { margin-top: 1em; }
dd table + p { margin-top: 1em; }
p + * > li, dd li { margin: 1em 0; }
dt, dfn { font-weight: bold; font-style: normal; }
[...1097 lines suppressed...]
read from their domain causes <em>information leakage</em>, For
example, a user's shopping wishlist on one domain could be used by
another domain for targeted advertising; or a user's
work-in-progress confidential documents stored by a word-processing
site could be examined by the site of a competing company.<p>Letting third-party sites write data to the storage areas of
other domains can result in <em>information spoofing</em>, which is
equally dangerous. For example, a hostile site could add items to a
user's wishlist; or a hostile site could set a user's session
identifier to a known ID that the hostile site can then use to track
the user's actions on the victim site.<p>Thus, strictly following the <span>origin</span> model described
in this specification is important for user security.<h3 id=sql-and-user-agents><span class=secno>7.4 </span>SQL and user agents</h3><p>User agent implementors are strongly encouraged to audit all
their supported SQL statements for security implications. For
example, <code title="">LOAD DATA INFILE</code> is likely to pose
security risks and there is little reason to support it.<p>In general, it is recommended that user agents not support
features that control how databases are stored on disk. For example,
there is little reason to allow Web authors to control the character
encoding used in the disk representation of the data, as all data in
ECMAScript is implicitly UTF-16.<h3 id=sql-injection><span class=secno>7.5 </span>SQL injection</h3><p>Authors are strongly recommended to make use of the <code title="">?</code> placeholder feature of the <code title=dom-sqltransaction-executeSql><a href=#dom-sqltransaction-executesql>executeSql()</a></code> method,
and to never construct SQL statements on the fly.<h2 class=no-num id=references>References</h2><p class=big-issue>This section will be written in a future
draft.<!--XXX-->
Received on Wednesday, 18 March 2009 19:35:46 UTC