Re: Storage API

On Wed, 31 Oct 2007, Jim Jewett wrote:
> 
> Looking at the Storage API:
> http://www.whatwg.org/specs/web-apps/current-work/multipage/section-storage.html
> 
> (1)  How can a (key-value) pair be marked as readable in an insecure context?
> 
> Some of the wording sounds like it is possible, but I didn't see any way 
> to do it -- it sounds as though the secure flag is (only) set 
> automatically from the script's context, so that something written from 
> a secure context is automatically hidden from future insecure access.
>
> (2)  If an insecure access has grandfathered access to a secure-context 
> key-value pair, it can continue to read (including future changes).  
> Why?  (There might be a good reason; it just isn't obvious, so I think 
> it should be explicit.)
> 
> (3)  If that grandfathered insecure context attempts to write, an 
> exception is raised -- but what happens to the actual key-value pair? It 
> sounds as though the failed write attempt effectively deletes the pair 
> (instead of being a no-op).  Why?  (Again, there might be a good reason; 
> it just isn't obvious, so I think it should be explicit.)

This is now all moot; I have changed the API to be same-origin so that you 
can never run into the cases you mention.

Cheers,
-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Tuesday, 11 December 2007 02:04:37 UTC