- From: poot <cvsmail@w3.org>
- Date: Thu, 19 Mar 2009 04:36:19 +0900 (JST)
- To: public-html-diffs@w3.org
Extract Web Sockets, Event Source, and Web Storage out of HTML5. References http://people.w3.org/mike/diffs/html5/spec/webstorage/Overview.1.1.html#references 7.4 SQL and user agents http://people.w3.org/mike/diffs/html5/spec/webstorage/Overview.1.1.html#sql-and-user-agents 7.5 SQL injection http://people.w3.org/mike/diffs/html5/spec/webstorage/Overview.1.1.html#sql-injection http://people.w3.org/mike/diffs/html5/spec/webstorage/Overview.diff.html http://dev.w3.org/cvsweb/html5/spec/webstorage/Overview.html?r1=NONE&r2=1.1&f=h <!DOCTYPE html><!-- when publishing, change bits marked ZZZ --><html lang=en-US-x-Hixie><meta charset=ascii><title>Web Storage</title><style type=text/css> pre { margin-left: 2em; white-space: pre-wrap; } h2 { margin: 3em 0 1em 0; } h3 { margin: 2.5em 0 1em 0; } h4 { margin: 2.5em 0 0.75em 0; } h5, h6 { margin: 2.5em 0 1em; } h1 + h2, h1 + h2 + h2 { margin: 0.75em 0 0.75em; } h2 + h3, h3 + h4, h4 + h5, h5 + h6 { margin-top: 0.5em; } p { margin: 1em 0; } hr:not(.top) { display: block; background: none; border: none; padding: 0; margin: 2em 0; height: auto; } dl, dd { margin-top: 0; margin-bottom: 0; } dt { margin-top: 0.75em; margin-bottom: 0.25em; clear: left; } dt + dt { margin-top: 0; } dd dt { margin-top: 0.25em; margin-bottom: 0; } dd p { margin-top: 0; } dd dl + p { margin-top: 1em; } dd table + p { margin-top: 1em; } p + * > li, dd li { margin: 1em 0; } dt, dfn { font-weight: bold; font-style: normal; } [...1097 lines suppressed...] read from their domain causes <em>information leakage</em>, For example, a user's shopping wishlist on one domain could be used by another domain for targeted advertising; or a user's work-in-progress confidential documents stored by a word-processing site could be examined by the site of a competing company.<p>Letting third-party sites write data to the storage areas of other domains can result in <em>information spoofing</em>, which is equally dangerous. For example, a hostile site could add items to a user's wishlist; or a hostile site could set a user's session identifier to a known ID that the hostile site can then use to track the user's actions on the victim site.<p>Thus, strictly following the <span>origin</span> model described in this specification is important for user security.<h3 id=sql-and-user-agents><span class=secno>7.4 </span>SQL and user agents</h3><p>User agent implementors are strongly encouraged to audit all their supported SQL statements for security implications. For example, <code title="">LOAD DATA INFILE</code> is likely to pose security risks and there is little reason to support it.<p>In general, it is recommended that user agents not support features that control how databases are stored on disk. For example, there is little reason to allow Web authors to control the character encoding used in the disk representation of the data, as all data in ECMAScript is implicitly UTF-16.<h3 id=sql-injection><span class=secno>7.5 </span>SQL injection</h3><p>Authors are strongly recommended to make use of the <code title="">?</code> placeholder feature of the <code title=dom-sqltransaction-executeSql><a href=#dom-sqltransaction-executesql>executeSql()</a></code> method, and to never construct SQL statements on the fly.<h2 class=no-num id=references>References</h2><p class=big-issue>This section will be written in a future draft.<!--XXX-->
Received on Wednesday, 18 March 2009 19:36:56 UTC