W3C home > Mailing lists > Public > whatwg@whatwg.org > May 2009

[whatwg] Should DOM storage objects be mapped by an "effective script origin" rather then just an "origin"?

From: Honza Bambas <honzab@allpeers.com>
Date: Tue, 26 May 2009 09:31:15 +0200
Message-ID: <4A1B9AC3.2040800@allpeers.com>
See also mozilla bug https://bugzilla.mozilla.org/show_bug.cgi?id=494799

Effective script origin driven by document.domain is used to allow 
sharing of properties and data among pages coming from different 
subdomains. Should this "data sharing" apply also to sessionStorage and 
localStorage? It means: having page load from http://test.mysite.com 
accessing sessionStorage would get sessionStorage bound to 
http://test.mysite.com. When that same page than changes document.domain 
to http://mysite.com, sessionStorage it gets now should be a different 
object, bound to http://mysite.com. A reason to do this is also because 
of security checking. The subject's origin changes to http://mysite.com 
and access to sessionStorage bound to http://test.mysite.com should not 
be allowed (origins are not equal).

Opinions?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20090526/311f561d/attachment.htm>
Received on Tuesday, 26 May 2009 00:31:15 UTC

This archive was generated by hypermail 2.3.1 : Monday, 13 April 2015 23:08:49 UTC