W3C home > Mailing lists > Public > whatwg@whatwg.org > May 2009

[whatwg] Should DOM storage objects be mapped by an "effective script origin" rather then just an "origin"?

From: Anne van Kesteren <annevk@opera.com>
Date: Tue, 26 May 2009 11:26:43 +0200
Message-ID: <op.uui5utrl64w2qv@annevk-t60>
On Tue, 26 May 2009 09:31:15 +0200, Honza Bambas <honzab at allpeers.com> wrote:
> See also mozilla bug https://bugzilla.mozilla.org/show_bug.cgi?id=494799
> Effective script origin driven by document.domain is used to allow
> sharing of properties and data among pages coming from different
> subdomains. Should this "data sharing" apply also to sessionStorage and
> localStorage? It means: having page load from http://test.mysite.com
> accessing sessionStorage would get sessionStorage bound to
> http://test.mysite.com. When that same page than changes document.domain
> to http://mysite.com, sessionStorage it gets now should be a different
> object, bound to http://mysite.com. A reason to do this is also because
> of security checking. The subject's origin changes to http://mysite.com
> and access to sessionStorage bound to http://test.mysite.com should not
> be allowed (origins are not equal).
> Opinions?

I'd rather not leak document.domain leak more than necessary. Especially with it being bound to the Public Suffix List. If you want to communicate across origins you can always use postMessage().

Anne van Kesteren
Received on Tuesday, 26 May 2009 02:26:43 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:12 UTC