- From: Anne van Kesteren <annevk@opera.com>
- Date: Tue, 26 May 2009 11:26:43 +0200
On Tue, 26 May 2009 09:31:15 +0200, Honza Bambas <honzab at allpeers.com> wrote: > See also mozilla bug https://bugzilla.mozilla.org/show_bug.cgi?id=494799 > > Effective script origin driven by document.domain is used to allow > sharing of properties and data among pages coming from different > subdomains. Should this "data sharing" apply also to sessionStorage and > localStorage? It means: having page load from http://test.mysite.com > accessing sessionStorage would get sessionStorage bound to > http://test.mysite.com. When that same page than changes document.domain > to http://mysite.com, sessionStorage it gets now should be a different > object, bound to http://mysite.com. A reason to do this is also because > of security checking. The subject's origin changes to http://mysite.com > and access to sessionStorage bound to http://test.mysite.com should not > be allowed (origins are not equal). > > Opinions? I'd rather not leak document.domain leak more than necessary. Especially with it being bound to the Public Suffix List. If you want to communicate across origins you can always use postMessage(). -- Anne van Kesteren http://annevankesteren.nl/
Received on Tuesday, 26 May 2009 02:26:43 UTC