- From: João Eiras <joaoe@opera.com>
- Date: Fri, 31 Jul 2009 14:18:25 +0100
- To: "Jeremy Orlow" <jorlow@chromium.org>, "public-webapps@w3.org" <public-webapps@w3.org>
> Everything in file:// is the same origin. I think Mozilla has > been experimenting with changing this, but I can't remember how they handle > localStorage (if it's even different at all). > No. Everything on file:// has the origin defined by the origin serialization algorithm. http://dev.w3.org/html5/spec/Overview.html#origin The spec tells "If scheme is "file", then the user agent may return a UA-specific value." In Opera's case we use file://machine/ where machine can be localhost, an ip, or a remote computer with a shared folder. If you're on a local network which cannot be fully trusted, accessing a page at file://peer/ that manages to access your local harddrive is as serious as a cross-domain attack, or even more. So saying that everything on file has origin file:// is a misconception of the problem origin tries to solve.
Received on Friday, 31 July 2009 13:19:09 UTC