W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2011

Re: [webstorage] origin security check

From: Marcos Caceres <marcosscaceres@gmail.com>
Date: Fri, 10 Jun 2011 15:08:52 +0100
Message-ID: <BANLkTi=LHGj8Z9Zi6N7ThGH+aCeD5T6MEQ@mail.gmail.com>
To: Ian Hickson <ian@hixie.ch>
Cc: public-webapps <public-webapps@w3.org>
Hi Ian,

On Fri, Jun 10, 2011 at 9:26 AM, Marcos Caceres
<marcosscaceres@gmail.com> wrote:
> On Thu, Jun 9, 2011 at 6:07 PM, Ian Hickson <ian@hixie.ch> wrote:
>> On Thu, 9 Jun 2011, Marcos Caceres wrote:
>>> tiny quick editorial request, where the spec says:
>>> "When the localStorage attribute is accessed, the user agent must run
>>> the following steps:"
>>> Can you please change that to:
>>> "When the localStorage attribute is accessed, the user agent must run
>>> the origin security check."
>>> And then independently define just label the algorithm "origin
>>> security check" (or name it something better).
>>> I need to use the same text in another spec and would prefer to link
>>> instead of copy/paste.
>> Done.
> Thanks! :)
>> Just out of interest, what's the context for this? These steps are pretty
>> specific to localStorage (and are not the complete security story -- see
>> the later section on security), so I'm surprised to hear these particular
>> steps would be reused.
> Context is the widget.preference attribute, which implements Storage
> (but supports some widgety things, like read-only keys/values):
> http://dev.w3.org/2006/waf/widgets-api/#the-preferences-attribute
> I'm want to replace the following section with the link to the Storage spec:
> http://dev.w3.org/2006/waf/widgets-api/#preference-origin-security-check0

I tried to create a generic HTML test for this using localStorage, but
could not figure out a way to trigger the SECURITY_ERR. I asked a few
people (Lachy, Snedders, and even the guy that implemented Web Storage
at Opera!) to help me come up with a test. No one was not able to come
up with a test for this, as there seems to be a general lack of
understanding how the whole effective script origin is set (we looked
at the spec, read it backwards, then forwards, then scratched our
heads for a bit).

Can you explain (with maybe some javascript) how one would cause the
SECURITY_ERR exception to be thrown by setItem() and getItem()?

Many thanks in advance!

Marcos Caceres
Received on Friday, 10 June 2011 14:09:39 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:13:20 UTC