At the TAG f2f meeting last week we discussed the Web Storage (http://dev.w3.org/html5/webstorage/) draft. As you know, Web Storage provides storage mechanisms (local storage and session storage) by origin. This led us to conclude that it supports the same-origin policy. But section 6.1 contains the sentence “User agents may allow sites to access session storage areas in an unrestricted manner, but require the user to authorize access to local storage areas.” This prompted some of us to speculate that a door is being left open for cross-site information sharing in the manner of CORS (http://www.w3.org/TR/access-control/)or UMP(http://www.w3.org/TR/UMP/).
Would you agree that this reading between the lines is justified?
