Re: [webstorage] origin security check from Marcos Caceres on 2011-06-10 (public-webapps@w3.org from April to June 2011)

From: Marcos Caceres <marcosscaceres@gmail.com>
Date: Fri, 10 Jun 2011 15:08:52 +0100
To: Ian Hickson <ian@hixie.ch>
Cc: public-webapps <public-webapps@w3.org>
Message-ID: <BANLkTi=LHGj8Z9Zi6N7ThGH+aCeD5T6MEQ@mail.gmail.com>

Hi Ian,

On Fri, Jun 10, 2011 at 9:26 AM, Marcos Caceres
<marcosscaceres@gmail.com> wrote:
> On Thu, Jun 9, 2011 at 6:07 PM, Ian Hickson <ian@hixie.ch> wrote:
>> On Thu, 9 Jun 2011, Marcos Caceres wrote:
>>>
>>> tiny quick editorial request, where the spec says:
>>>
>>> "When the localStorage attribute is accessed, the user agent must run
>>> the following steps:"
>>>
>>> Can you please change that to:
>>>
>>> "When the localStorage attribute is accessed, the user agent must run
>>> the origin security check."
>>>
>>> And then independently define just label the algorithm "origin
>>> security check" (or name it something better).
>>>
>>> I need to use the same text in another spec and would prefer to link
>>> instead of copy/paste.
>>
>> Done.
>
> Thanks! :)
>
>> Just out of interest, what's the context for this? These steps are pretty
>> specific to localStorage (and are not the complete security story -- see
>> the later section on security), so I'm surprised to hear these particular
>> steps would be reused.
>
> Context is the widget.preference attribute, which implements Storage
> (but supports some widgety things, like read-only keys/values):
>
> http://dev.w3.org/2006/waf/widgets-api/#the-preferences-attribute
>
> I'm want to replace the following section with the link to the Storage spec:
> http://dev.w3.org/2006/waf/widgets-api/#preference-origin-security-check0

I tried to create a generic HTML test for this using localStorage, but
could not figure out a way to trigger the SECURITY_ERR. I asked a few
people (Lachy, Snedders, and even the guy that implemented Web Storage
at Opera!) to help me come up with a test. No one was not able to come
up with a test for this, as there seems to be a general lack of
understanding how the whole effective script origin is set (we looked
at the spec, read it backwards, then forwards, then scratched our
heads for a bit).

Can you explain (with maybe some javascript) how one would cause the
SECURITY_ERR exception to be thrown by setItem() and getItem()?

Many thanks in advance!

Marcos
-- 
Marcos Caceres
http://datadriven.com.au

Received on Friday, 10 June 2011 14:09:39 UTC