W3C home > Mailing lists > Public > whatwg@whatwg.org > June 2007

[whatwg] Potenial Security Problem in Global Storage Specification

From: Gervase Markham <gerv@mozilla.org>
Date: Mon, 04 Jun 2007 12:51:55 +0100
Message-ID: <4663FCDB.1080909@mozilla.org>
Jerason Banes wrote:
> That effectively restricts the storage to a single domain and is in line 
> with how cookies work today.

Yes, it does. But I don't think I have been insufficiently clear.

My issue is not with the idea of DOM Storage as a whole, but with the 
idea of sharing information across sites - which requires this global 
storage.

> I wasn't able to find any docs that describe the Storage security model 
> used in Gecko, so I ran a few tests. What I found was that any attempt 
> to access globalStorage[''] or globalStorage['com'] from the context of 
> a website resulted in a security error. You can try the test for 
> yourself here:
> 
> http://java.dnsalias.com/temp/storage.html

I suspect it might use, or be planning to use, the Effective TLD 
service, which provides information necessary to implement the scheme 
you referenced above.

>     Is there a document somewhere outlining the actual benefits of this
>     feature, even as potentially restricted?
> 
> The specification has this explanation: "Web applications may wish to 
> store megabytes of user data, such as entire user-authored documents or 
> a user's mailbox, on the clientside for performance reasons."

To restate more clearly: "Is there a document somewhere outlining the 
actual benefits of being able to share data across domains?"

Gerv
Received on Monday, 4 June 2007 04:51:55 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:58:56 UTC