Re: [webstorage] origin security check from Scott Wilson on 2011-06-14 (public-webapps@w3.org from April to June 2011)

From: Scott Wilson <scott.bradley.wilson@gmail.com>
Date: Tue, 14 Jun 2011 14:59:32 +0100
To: Marcos Caceres <marcosscaceres@gmail.com>
Cc: Ian Hickson <ian@hixie.ch>, public-webapps <public-webapps@w3.org>
Message-Id: <4701DEE3-950C-468D-A12D-AD7F8E0CCBB1@gmail.com>

On 14 Jun 2011, at 06:28, Marcos Caceres wrote:

> On Monday, June 13, 2011, Ian Hickson <ian@hixie.ch> wrote:
>> On Mon, 13 Jun 2011, Marcos Caceres wrote:
>>> 
>>> I thought maybe I could get away with:
>>> 
>>> "When getting or setting the preferences attribute, if the origin of a
>>> widget instance is mutable (e.g., if the user agent allows
>>> document.domain to be dynamically changed), then the user agent must
>>> perform the object initialization steps of [Web Storage] substituting
>>> the preferences attribute for the localStorage attribute where
>>> appropriate."
>>> 
>>> But maybe I'll just do a copy and paste and just replace the appropriate
>>> bits of text.
>> 
>> I guess that could work.
>> 
>> By the way, how are you resolving the multiple-thread problem here? (Since
>> you're introducing a new API, it presumably doesn't have to have the same
>> bug as the localStorage API, where we're stuck for legacy reasons and are
>> basically forced to either have a cross-thread blocking API or a racy API,
>> depending on how it's implemented, both of which suck.)
> 
> We are not solving it:(
> 
> As widgets run as a single process, each instance in a unique origin,
> don't share data/cache with browser tabs/windows or other widgets,
> this issue does not come up much... At least no one has complained to
> me about it.

We've seen clients setting the same preference in different threads resulting in a consistency problem, however we basically go with the view that its something we just deal with - i.e. its not guaranteed to be consistent but we make best effort. In general use in a widget context its not going to be frequent or critical - we only come across it in a testing context by creating duplicate views of a widget instance, showing them alongside each other, which is a pretty pointless thing for a user to do.

> 
> 
> 
>> --
>> Ian Hickson               U+1047E                )\._.,--....,'``.    fL
>> http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
>> Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'
>> 
> 
> -- 
> Marcos Caceres
> http://datadriven.com.au
>

Received on Tuesday, 14 June 2011 14:00:06 UTC