The spec at http://www.whatwg.org/specs/web-apps/current-work/multipage/section-sql.html#sql
states that "Each origin has an associated set of databases."
Origins are described at http://www.whatwg.org/specs/web-apps/current-work/multipage/section-scripting.html#origin0
and basically boil down to <scheme>,<host>,<port>
To me, this implies that a page hosted at "http://www.foo.com:80/
user1" has access to all databases that were created by "http://www.foo.com:80/user2
"
Even if the page at "http://www.foo.com:80/user1"; needs to know the
database name and the correct version from http://www.foo.com:80/
user2", this seems like a glaring security issue.
Am I misreading the spec or missing some other detail that would
prevent this hole?
Thanks,
Brady
- [whatwg] Client-side database and origins Brady Eidson
-
