W3C home > Mailing lists > Public > www-tag@w3.org > June 2010

Re: ACTION-438 Question about possibility of cross-site data sharing in Web Storage

From: Anne van Kesteren <annevk@opera.com>
Date: Tue, 15 Jun 2010 13:19:22 +0200
To: public-webapps@w3.org, "Ashok Malhotra" <ASHOK.MALHOTRA@oracle.com>
Cc: Www-Tag <www-tag@w3.org>
Message-ID: <op.veb9qjmv64w2qv@annevk-t60>
On Tue, 15 Jun 2010 13:11:01 +0200, Ashok Malhotra  
<ASHOK.MALHOTRA@oracle.com> wrote:
> At the TAG f2f meeting last week we discussed the Web Storage  
> (http://dev.w3.org/html5/webstorage/) draft.  As you know, Web Storage  
> provides storage mechanisms (local storage and session storage) by  
> origin.  This led us to conclude that it supports the same-origin  
> policy.  But section 6.1 contains the sentence “User agents may allow  
> sites to access session storage areas in an unrestricted manner, but  
> require the user to authorize access to local storage areas.”   This  
> prompted some of us to speculate that a door is being left open for  
> cross-site information sharing in the manner of CORS  
> (http://www.w3.org/TR/access-control/)or UMP(http://www.w3.org/TR/UMP/).
> Would you agree that this reading between the lines is justified?

No, it says before that "Site-specific white-listing of access to local  
storage areas". And then continues with the explanation you quoted. I  
don't quite understand how you went from that to cross-origin usage. All  
it says is that user agents could offer the option to do local storage on  
an opt-in basis to make tracking harder.

Anne van Kesteren
Received on Tuesday, 15 June 2010 11:20:06 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 22:56:34 UTC