Ian Hickson wrote:
Note that the problems you raise also exist (and have long existed) with
cookies; at least the storage APIs default to a safe state in the general
case instead of defaulting to an unsafe state.
In what way do the storage API's default to a safe state? What unsafe
state is
Ian Hickson said (among other things):
It seems that what you are suggesting is that foo.example.com cannot trust
example.com, because example.com could then steal data from
foo.example.com. But there's a much simpler attack scenario for
example.com: it can just take over foo.example.com
Ian Hickson wrote:
This is mentioned in the Security and privacy section; the third
bullet point here for example suggests blocking access to public
storage areas:
http://whatwg.org/specs/web-apps/current-work/#user-tracking
I did read the suggestions and I know the authors have given these
On 28/08/06, Shannon Baker [EMAIL PROTECTED] wrote:
I accept tracking is inevitable but we
shouldn't be making it easier either.
You have to remember that the WHAT-WG individual is a Google employee,
a company that now relies on accurate tracking of details, so don't be
surprised that any
On 8/28/06, Jim Ley [EMAIL PROTECTED] wrote:
On 28/08/06, Shannon Baker [EMAIL PROTECTED] wrote:
I accept tracking is inevitable but we
shouldn't be making it easier either.
You have to remember that the WHAT-WG individual is a Google employee,
a company that now relies on accurate tracking
On Mon, 28 Aug 2006, Shannon Baker wrote:
This is mentioned in the Security and privacy section; the third
bullet point here for example suggests blocking access to public
storage areas:
http://whatwg.org/specs/web-apps/current-work/#user-tracking
I did read the suggestions
I've read the 2006-08-21 draft of Web Applications 1.0 carefully and I'm
horrified that section 5.9 on persistent storage is being considered as
a web standard - at least in its current form. My objections can be
summarised as:
* Authors failure to handle the implications of global storage.
*
On Sun, 27 Aug 2006 19:11:17 +0700, Shannon Baker [EMAIL PROTECTED] wrote:
But why bother? This whole problem is easily solved by allowing data to
be stored with an access control list (ACL). For example the site
developer should be able to specify that a data object be available to
On 8/27/06, Shannon Baker [EMAIL PROTECTED] wrote:
== 1: Authors failure to handle the implications of global storage. ==
First lets talk about the global store (|globalStorage['']) which is
accessible from ALL domains.
This is mentioned in the Security and privacy section; the third
bullet