On 20 Mrz., 07:38, Kevin Layman <[email protected]> wrote: > 2> is it possible like data stored locally by one site is accessible from > other site (security) > > Someone else more knowledgable than me needs to chime in here, but I would > say theoretically yes.
The answer to this is easy: There is no difference between Gears and an ordinary Websites. Gears only acts (mainly, except for some things like the Geolocation-API) like a website proxy cache. So like a website is able to access another website, there is a way that one Gears accesses another one (for example by using IFRAME). Or another website. Or a website Gears. (Or General Failure reading your harddrive. YKWIM) Having said that, this answer already is wrong. Gears offers a new way for site interaction: Cross domain workers. With a cross domain worker, Gears is able to access data on another website and thus data can be published this way to the other website, too. But the cross domain workers must be started by the code which activates Gears in your browser AND the other domain must allow the cross domain workers as well, so there must be a certain high level of prior defined cooperation between the JavaScript code on both domains to successfully work together. So if you ask: "Is there a way to be able to let two websites intercommunicate on a reliable and pre-defined way with Gears and without using things like Greasemonkey or other bad workarounds", then the answer is "yes". Gears adds some quite more easy way to interact between websites than there already is (for example, without Gears you still can construct IMG Urls to play Global Thermonuclear Warfare with data between different sites on the Internet, if both know how to play Wargames. However as we know, the best turn is to not to start this game *eg*). For security this means: Yes, your data can leak to other websites, if the programmer who wrote the JavaScript intended to let such data leak. Gears offers no protection against evil program code from a domain to leak the data from that domain to another domain (it cannot access data of a third domain, though, which is not cooperative). If you ask "is my locally stored data secure against other evil websites who try to steal data", the answer is, that Gears has no known holes to leak such information, or to say it so: There is no higher risk with Gears than there is without it. However as always, Gears might have bugs and Gears is unable to secure data on insecure computers, and there are steadily pouring in bugs for all browsers which might leak data, AND with risen complexity of code the probability of Cross-Site-Attacks becomes higher as well. For example, if a backup of your harddrive makes it to a website, all Gears data can be read from this backup of course. So Gears introduces no additional magic to protect your data. But it also does not introduce new threats except the obvious ones which always comes with more code. > 3> is it possible like user himself can modify cached data (security) > > If by cached you mean stored in the localstore db or your app db, > absolutely, anyone with access to the local machine can access the db. I already read and modify the local Gears database with CygWin. As Gears becomes deadly slow if it has to cache more than 3000 URLs or so, I have a fixer script which access the Gears SQLite database and repair it such, that I think I will be able to store more than 1 Million URLs in a single LocalFileStore. (However I am still far from my goal of more than 1 Billion URLs, Gears cannot help with this, sadly, because it seams that Gears sometimes accesses SQLite not using Indexes and therefore it take ages until the tablescan completes on a 50 GiB SQLite Database. A 700 MiB Database however it is not this bad, as the DB then fits into memory cache.) $ sqlite3 localserver.db 'select max(EntryID) from Entries' 377697 $ ls -al localserver.db -rwx------+ 1 tino None 296039424 2010-03-21 16:17 localserver.db HTH -Tino To unsubscribe from this group, send email to gears-users+unsubscribegooglegroups.com or reply to this email with the words "REMOVE ME" as the subject.
