[whatwg] Should DOM storage objects be mapped by an "effective script origin" rather then just an "origin"? from Ian Hickson on 2009-06-11 (public-whatwg-archive@w3.org from June 2009)

From: Ian Hickson <ian@hixie.ch>
Date: Thu, 11 Jun 2009 20:11:09 +0000 (UTC)
Message-ID: <Pine.LNX.4.62.0906112008260.1648@hixie.dreamhostps.com>

On Tue, 26 May 2009, Honza Bambas wrote:
>
> See also mozilla bug https://bugzilla.mozilla.org/show_bug.cgi?id=494799
> 
> Effective script origin driven by document.domain is used to allow 
> sharing of properties and data among pages coming from different 
> subdomains. Should this "data sharing" apply also to sessionStorage and 
> localStorage? It means: having page load from http://test.mysite.com 
> accessing sessionStorage would get sessionStorage bound to 
> http://test.mysite.com. When that same page than changes document.domain 
> to http://mysite.com, sessionStorage it gets now should be a different 
> object, bound to http://mysite.com. A reason to do this is also because 
> of security checking. The subject's origin changes to http://mysite.com 
> and access to sessionStorage bound to http://test.mysite.com should not 
> be allowed (origins are not equal).

On Tue, 26 May 2009, Anne van Kesteren wrote:
> 
> I'd rather not leak document.domain leak more than necessary. Especially 
> with it being bound to the Public Suffix List. If you want to 
> communicate across origins you can always use postMessage().

On Tue, 26 May 2009, Jonas Sicking wrote:
> 
> I definitely don't see a reason to leak document.domain hacks more than 
> neccesary. Further, generally the document.domain feature requires that 
> two pages set document.domain to the same value in order to communicate. 
> If localStorage was affected by document.domain, that would mean that 
> foo.example.com could read example.coms data without example.com ever 
> opting in to this.

Based on the above comments I haven't changed the spec. You can work 
around this limitation by having an iframe in the other origin and using 
postMessage() to communicate with it to manipulate the other storage area.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

Received on Thursday, 11 June 2009 13:11:09 UTC