- From: Ian Hickson <ian@hixie.ch>
- Date: Tue, 11 Dec 2007 02:04:29 +0000 (UTC)
- To: Jim Jewett <jimjjewett@gmail.com>
- Cc: public-html@w3.org
On Wed, 31 Oct 2007, Jim Jewett wrote: > > Looking at the Storage API: > http://www.whatwg.org/specs/web-apps/current-work/multipage/section-storage.html > > (1) How can a (key-value) pair be marked as readable in an insecure context? > > Some of the wording sounds like it is possible, but I didn't see any way > to do it -- it sounds as though the secure flag is (only) set > automatically from the script's context, so that something written from > a secure context is automatically hidden from future insecure access. > > (2) If an insecure access has grandfathered access to a secure-context > key-value pair, it can continue to read (including future changes). > Why? (There might be a good reason; it just isn't obvious, so I think > it should be explicit.) > > (3) If that grandfathered insecure context attempts to write, an > exception is raised -- but what happens to the actual key-value pair? It > sounds as though the failed write attempt effectively deletes the pair > (instead of being a no-op). Why? (Again, there might be a good reason; > it just isn't obvious, so I think it should be explicit.) This is now all moot; I have changed the API to be same-origin so that you can never run into the cases you mention. Cheers, -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Tuesday, 11 December 2007 02:04:37 UTC