canmove, Confirmed users
640
edits
Firefox3.1/localStorage Security Review: Difference between revisions
Jump to navigation
Jump to search
Firefox3.1/localStorage Security Review (view source)
Revision as of 21:19, 24 March 2009
, 24 March 2009→Review comments
(New page: == Overview == localStorage is a replacement for globalStorage. There are two major differences from globalStorage: * Access control is same-origin, rather than same-host * The StorageI...) |
|||
| Line 78: | Line 78: | ||
== Review comments == | == Review comments == | ||
* currently if cookie lifetime is session-only we turn globalStorage/localStorage into a lame current-page-only memory store. It would be better to throw an error (QUOTA_EXCEEDED_ERR is mentioned in the spec for this case) or return null for locationStorage itself. Something that lets developers switch to using real sessionStorage instead, or telling users to enable the feature. | |||
* test that blocking cookies for a host does block localStorage for that host | |||
* test that localStorage is truly origin-based -- i.e. windows on different ports or schemes should not be able to access each other's localStorage even if the same host. | |||
* use of globalStorage[] should put a deprecation warning on the error console. Probably just the first use per window to avoid perf problems (object creation). | |||
* add default prefs to all.js for missing values (e.g. quota). | |||