W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2011

Re: [webstorage] origin security check

From: Ian Hickson <ian@hixie.ch>
Date: Fri, 10 Jun 2011 19:19:30 +0000 (UTC)
To: Marcos Caceres <marcosscaceres@gmail.com>
cc: public-webapps <public-webapps@w3.org>
Message-ID: <Pine.LNX.4.64.1106101917190.26539@ps20323.dreamhostps.com>
On Fri, 10 Jun 2011, Marcos Caceres wrote:
> I tried to create a generic HTML test for this using localStorage, but 
> could not figure out a way to trigger the SECURITY_ERR. I asked a few 
> people (Lachy, Snedders, and even the guy that implemented Web Storage 
> at Opera!) to help me come up with a test. No one was not able to come 
> up with a test for this, as there seems to be a general lack of 
> understanding how the whole effective script origin is set (we looked at 
> the spec, read it backwards, then forwards, then scratched our heads for 
> a bit).
> Can you explain (with maybe some javascript) how one would cause the 
> SECURITY_ERR exception to be thrown by setItem() and getItem()?

var foo = localStorage;
foo.test = '';
document.domain = document.domain; // changes effective origin
foo.test; // throws
localStorage; // would also throw

Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
Received on Friday, 10 June 2011 19:19:53 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:13:20 UTC