W3C home > Mailing lists > Public > public-webapps@w3.org > April to June 2011

Re: [webstorage] origin security check

From: Marcos Caceres <marcosscaceres@gmail.com>
Date: Mon, 13 Jun 2011 11:38:40 +0100
Message-ID: <BANLkTi=xmAsnd-fHvRf7N_K3ZKEZVPYpZQ@mail.gmail.com>
To: Ian Hickson <ian@hixie.ch>
Cc: public-webapps <public-webapps@w3.org>
On Fri, Jun 10, 2011 at 8:19 PM, Ian Hickson <ian@hixie.ch> wrote:
> On Fri, 10 Jun 2011, Marcos Caceres wrote:
>> I tried to create a generic HTML test for this using localStorage, but
>> could not figure out a way to trigger the SECURITY_ERR. I asked a few
>> people (Lachy, Snedders, and even the guy that implemented Web Storage
>> at Opera!) to help me come up with a test. No one was not able to come
>> up with a test for this, as there seems to be a general lack of
>> understanding how the whole effective script origin is set (we looked at
>> the spec, read it backwards, then forwards, then scratched our heads for
>> a bit).
>> Can you explain (with maybe some javascript) how one would cause the
>> SECURITY_ERR exception to be thrown by setItem() and getItem()?
> var foo = localStorage;
> foo.test = '';
> document.domain = document.domain; // changes effective origin
> foo.test; // throws
> localStorage; // would also throw

Thanks for this. Got it now :)

Marcos Caceres
Received on Monday, 13 June 2011 10:39:36 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:13:20 UTC