[whatwg] Potenial Security Problem in Global Storage Specification from Ian Hickson on 2007-05-31 (public-whatwg-archive@w3.org from May 2007)

From: Ian Hickson <ian@hixie.ch>
Date: Thu, 31 May 2007 05:37:25 +0000 (UTC)
Message-ID: <Pine.LNX.4.64.0705310531210.19146@dhalsim.dreamhost.com>

On Thu, 31 May 2007, Jerason Banes wrote:
> 
> I was just comparing the Storage API with that of the Google 
> Gears<http://gears.google.com>, and something jumped out at me. 
> According to the spec, browsers should allow a webapp to store data in 
> the globalStorage object with no domain attached. (i.e. 
> globalStorage['']) This is intended to allow data to be shared across 
> all webpages.
>
> My concern is that this poses a problem for the user's privacy.

Yeah, this is mentioned in the security section:

   http://www.whatwg.org/specs/web-apps/current-work/#security5

...along with recommended solutions to mitigate it.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Wednesday, 30 May 2007 22:37:25 UTC