- From: Ian Hickson via cvs-syncmail <cvsmail@w3.org>
- Date: Fri, 20 Aug 2010 19:17:51 +0000
- To: public-html-commits@w3.org
Update of /sources/public/html5/webstorage
In directory hutz:/tmp/cvs-serv4750
Modified Files:
Overview.html
Log Message:
Change how localStorage protects from cross-origin accesses so that old Storage objects don't become vulnerable after document.domain is changed (which was rather inconsistent). (whatwg r5314)
Index: Overview.html
===================================================================
RCS file: /sources/public/html5/webstorage/Overview.html,v
retrieving revision 1.145
retrieving revision 1.146
diff -u -d -r1.145 -r1.146
--- Overview.html 16 Aug 2010 23:09:00 -0000 1.145
+++ Overview.html 20 Aug 2010 19:17:49 -0000 1.146
@@ -185,7 +185,7 @@
</style><link href="http://www.w3.org/StyleSheets/TR/W3C-ED" rel="stylesheet" type="text/css"><div class="head">
<p><a href="http://www.w3.org/"><img alt="W3C" height="48" src="http://www.w3.org/Icons/w3c_home" width="72"></a></p>
<h1>Web Storage</h1>
- <h2 class="no-num no-toc" id="editor-s-draft-16-august-2010">Editor's Draft 16 August 2010</h2>
+ <h2 class="no-num no-toc" id="editor-s-draft-20-august-2010">Editor's Draft 20 August 2010</h2>
<dl><dt>Latest Published Version:</dt>
<dd><a href="http://www.w3.org/TR/webstorage/">http://www.w3.org/TR/webstorage/</a></dd>
<dt>Latest Editor's Draft:</dt>
@@ -256,7 +256,7 @@
</ul><!-- UNDER NO CIRCUMSTANCES IS THE PRECEDING LIST TO BE REMOVED OR EDITED WITHOUT TALKING TO IAN FIRST --><!-- status of document, group responsible (required) --><p>The W3C <a href="http://www.w3.org/2008/webapps/">Web Applications
Working Group</a> is the W3C working group responsible for this
specification's progress along the W3C Recommendation track.
- This specification is the 16 August 2010 Editor's Draft.
+ This specification is the 20 August 2010 Editor's Draft.
</p><!-- required patent boilerplate --><p>This document was produced by a group operating under the <a href="http://www.w3.org/Consortium/Patent-Policy-20040205/">5
February 2004 W3C Patent Policy</a>. W3C maintains a <a href="http://www.w3.org/2004/01/pp-impl/42538/status" rel="disclosure">public list of
any patent disclosures</a> made in connection with the deliverables
@@ -285,7 +285,9 @@
<ol>
<li><a href="#the-storage-interface"><span class="secno">4.1 </span>The <code>Storage</code> interface</a></li>
<li><a href="#the-sessionstorage-attribute"><span class="secno">4.2 </span>The <code title="dom-sessionStorage">sessionStorage</code> attribute</a></li>
- <li><a href="#the-localstorage-attribute"><span class="secno">4.3 </span>The <code title="dom-localStorage">localStorage</code> attribute</a></li>
+ <li><a href="#the-localstorage-attribute"><span class="secno">4.3 </span>The <code title="dom-localStorage">localStorage</code> attribute</a>
+ <ol>
+ <li><a href="#security-localStorage"><span class="secno">4.3.1 </span>Security</a></ol></li>
<li><a href="#the-storage-event"><span class="secno">4.4 </span>The <code title="event-storage">storage</code> event</a>
<ol>
<li><a href="#event-definition"><span class="secno">4.4.1 </span>Event definition</a></ol></li>
@@ -564,20 +566,14 @@
request violates a policy decision (e.g. if the user agent is
configured to not allow the page to persist data).</li>
- <li><p>If the <code>Document</code>'s <span>effective script
- origin</span> is not the <span>same origin</span> as the
- <code>Document</code>'s <span>origin</span>, then throw a
- <code>SECURITY_ERR</code> exception and abort these steps.</li>
- <!-- XXX should do this on getItem()/setItem()/enumerating etc -->
-
<li><p>If the <code>Document</code>'s <span>origin</span> is not a
scheme/host/port tuple, then throw a <code>SECURITY_ERR</code>
exception and abort these steps.</li>
<li><p>Check to see if the user agent has allocated a local storage
area for the <span>origin</span> of the <code>Document</code> of
- the <code>Window</code> object on which the method was invoked. If
- it has not, create a new storage area for that
+ the <code>Window</code> object on which the attribute was accessed.
+ If it has not, create a new storage area for that
<span>origin</span>.</li>
<li><p>Return the <code><a href="#storage-0">Storage</a></code> object associated with that
@@ -597,7 +593,16 @@
determining the number of properties present, or as part of the
execution of any of the methods or attributes defined on the
<code><a href="#storage-0">Storage</a></code> interface. the user agent must first
- <span>obtain the storage mutex</span>.<h3 id="the-storage-event"><span class="secno">4.4 </span>The <code title="event-storage"><a href="#event-storage">storage</a></code> event</h3><p>The <dfn id="event-storage" title="event-storage"><code>storage</code></dfn> event
+ <span>obtain the storage mutex</span>.<h4 id="security-localStorage"><span class="secno">4.3.1 </span>Security</h4><p>User agents must raise a <code>SECURITY_ERR</code> exception
+ whenever any of the members of a <code><a href="#storage-0">Storage</a></code> object
+ originally returned by the <code title="dom-localStorage"><a href="#dom-localstorage">localStorage</a></code> attribute are accessed
+ by scripts whose <span>effective script origin</span> is not the
+ <span title="same origin">same</span> as the <span>origin</span> of
+ the <code>Document</code> of the <code>Window</code> object on which
+ the <code title="dom-localStorage"><a href="#dom-localstorage">localStorage</a></code> attribute was
+ accessed.<p class="note">This means <code><a href="#storage-0">Storage</a></code> objects are neutered
+ when the <code title="dom-document-domain">document.domain</code>
+ attribute is used.<h3 id="the-storage-event"><span class="secno">4.4 </span>The <code title="event-storage"><a href="#event-storage">storage</a></code> event</h3><p>The <dfn id="event-storage" title="event-storage"><code>storage</code></dfn> event
is fired when a storage area changes, as described in the previous
two sections (<a href="#sessionStorageEvent">for session
storage</a>, <a href="#localStorageEvent">for local
Received on Friday, 20 August 2010 19:17:53 UTC