- From: Brady Eidson <beidson@apple.com>
- Date: Wed, 3 Oct 2007 12:27:59 -0700
The spec at http://www.whatwg.org/specs/web-apps/current-work/multipage/section-sql.html#sql states that "Each origin has an associated set of databases." Origins are described at http://www.whatwg.org/specs/web-apps/current-work/multipage/section-scripting.html#origin0 and basically boil down to <scheme>,<host>,<port> To me, this implies that a page hosted at "http://www.foo.com:80/ user1" has access to all databases that were created by "http://www.foo.com:80/user2 " Even if the page at "http://www.foo.com:80/user1" needs to know the database name and the correct version from http://www.foo.com:80/ user2", this seems like a glaring security issue. Am I misreading the spec or missing some other detail that would prevent this hole? Thanks, Brady -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20071003/68d8375e/attachment.htm>
Received on Wednesday, 3 October 2007 12:27:59 UTC