Re: ACTION-438 Question about possibility of cross-site data sharing in Web Storage

On Tue, 15 Jun 2010 13:11:01 +0200, Ashok Malhotra  
<ASHOK.MALHOTRA@oracle.com> wrote:
> At the TAG f2f meeting last week we discussed the Web Storage  
> (http://dev.w3.org/html5/webstorage/) draft.  As you know, Web Storage  
> provides storage mechanisms (local storage and session storage) by  
> origin.  This led us to conclude that it supports the same-origin  
> policy.  But section 6.1 contains the sentence “User agents may allow  
> sites to access session storage areas in an unrestricted manner, but  
> require the user to authorize access to local storage areas.”   This  
> prompted some of us to speculate that a door is being left open for  
> cross-site information sharing in the manner of CORS  
> (http://www.w3.org/TR/access-control/)or UMP(http://www.w3.org/TR/UMP/).
>
> Would you agree that this reading between the lines is justified?

No, it says before that "Site-specific white-listing of access to local  
storage areas". And then continues with the explanation you quoted. I  
don't quite understand how you went from that to cross-origin usage. All  
it says is that user agents could offer the option to do local storage on  
an opt-in basis to make tracking harder.


-- 
Anne van Kesteren
http://annevankesteren.nl/

Received on Tuesday, 15 June 2010 11:19:59 UTC