- From: Ian Hickson <ian@hixie.ch>
- Date: Thu, 11 Jun 2009 20:11:09 +0000 (UTC)
On Tue, 26 May 2009, Honza Bambas wrote: > > See also mozilla bug https://bugzilla.mozilla.org/show_bug.cgi?id=494799 > > Effective script origin driven by document.domain is used to allow > sharing of properties and data among pages coming from different > subdomains. Should this "data sharing" apply also to sessionStorage and > localStorage? It means: having page load from http://test.mysite.com > accessing sessionStorage would get sessionStorage bound to > http://test.mysite.com. When that same page than changes document.domain > to http://mysite.com, sessionStorage it gets now should be a different > object, bound to http://mysite.com. A reason to do this is also because > of security checking. The subject's origin changes to http://mysite.com > and access to sessionStorage bound to http://test.mysite.com should not > be allowed (origins are not equal). On Tue, 26 May 2009, Anne van Kesteren wrote: > > I'd rather not leak document.domain leak more than necessary. Especially > with it being bound to the Public Suffix List. If you want to > communicate across origins you can always use postMessage(). On Tue, 26 May 2009, Jonas Sicking wrote: > > I definitely don't see a reason to leak document.domain hacks more than > neccesary. Further, generally the document.domain feature requires that > two pages set document.domain to the same value in order to communicate. > If localStorage was affected by document.domain, that would mean that > foo.example.com could read example.coms data without example.com ever > opting in to this. Based on the above comments I haven't changed the spec. You can work around this limitation by having an iframe in the other origin and using postMessage() to communicate with it to manipulate the other storage area. -- Ian Hickson U+1047E )\._.,--....,'``. fL http://ln.hixie.ch/ U+263A /, _.. \ _\ ;`._ ,. Things that are impossible just take longer. `._.-(,_..'--(,_..'`-.;.'
Received on Thursday, 11 June 2009 13:11:09 UTC