Re: [webstorage] origin security check from Marcos Caceres on 2011-06-13 (public-webapps@w3.org from April to June 2011)

From: Marcos Caceres <marcosscaceres@gmail.com>
Date: Mon, 13 Jun 2011 10:46:00 +0100
To: Ian Hickson <ian@hixie.ch>
Cc: public-webapps <public-webapps@w3.org>
Message-ID: <BANLkTinGuwW1Lp_R=Vo8zqE+rUYWAawjiw@mail.gmail.com>

On Fri, Jun 10, 2011 at 8:17 PM, Ian Hickson <ian@hixie.ch> wrote:
> On Fri, 10 Jun 2011, Marcos Caceres wrote:
>> On Thu, Jun 9, 2011 at 6:07 PM, Ian Hickson <ian@hixie.ch> wrote:
>> > On Thu, 9 Jun 2011, Marcos Caceres wrote:
>> >>
>> >> tiny quick editorial request, where the spec says:
>> >>
>> >> "When the localStorage attribute is accessed, the user agent must run
>> >> the following steps:"
>> >>
>> >> Can you please change that to:
>> >>
>> >> "When the localStorage attribute is accessed, the user agent must run
>> >> the origin security check."
>> >>
>> >> And then independently define just label the algorithm "origin
>> >> security check" (or name it something better).
>> >>
>> >> I need to use the same text in another spec and would prefer to link
>> >> instead of copy/paste.
>> >
>> > Done.
>>
>> Thanks! :)
>>
>> > Just out of interest, what's the context for this? These steps are pretty
>> > specific to localStorage (and are not the complete security story -- see
>> > the later section on security), so I'm surprised to hear these particular
>> > steps would be reused.
>>
>> Context is the widget.preference attribute, which implements Storage
>> (but supports some widgety things, like read-only keys/values):
>>
>> http://dev.w3.org/2006/waf/widgets-api/#the-preferences-attribute
>>
>> I'm want to replace the following section with the link to the Storage spec:
>> http://dev.w3.org/2006/waf/widgets-api/#preference-origin-security-check0
>
> The algorithm we're talking about here wouldn't work for that; steps 3 and
> 4 in particular would mean that .preferences always returned the same
> object as .localStorage.

I thought maybe I could get away with:

"When getting or setting the preferences attribute, if the origin of a
widget instance is mutable (e.g., if the user agent allows
document.domain to be dynamically changed), then the user agent must
perform the object initialization steps of [Web Storage] substituting
the preferences attribute for the localStorage attribute where
appropriate."

But maybe I'll just do a copy and paste and just replace the
appropriate bits of text.

-- 
Marcos Caceres
http://datadriven.com.au

Received on Monday, 13 June 2011 09:46:48 UTC