[webkit-dev] Database Storage

David Kilzer ddkilzer at webkit.org
Fri Oct 3 13:18:33 PDT 2008 

Not discussed yet is that data is secured between JavaScript from a web page on Site A accessing data originally stored from a web page on Site B.  This is not allowed.

Note that a web page served from <http://www.domain.com/> cannot access a database saved from a web page served from <http://domain.com/>, and vice-versa.  The protocol (or scheme), hostname, and (implied) port number must all match before the database is accessible.

Dave


On Fri, 10/3/08, Brady Eidson <beidson at apple.com> wrote:

> To expand on this point,
> 
> The data you store on your user's system should be your
> user's data.   
> It should belong to them, and therefore "security
> concerns" about what  
> they do with it should be moot.
> 
> You can, of course, encrypt the data or otherwise obfuscate
> it before  
> storing it in the database, but that's not enough to
> keep them from  
> poking around messing with it.
> 
> First rule of computer security - all security measures are
> worthless  
> if the attacker gains physical access to the machine.
> 
> ~Brady
> 
> On Oct 3, 2008, at 3:29 AM, Anthony Ricaud wrote:
> 
> > Hi,
> >
> > The database storage (like cookies, localStorage and
> sessionStorage)
> > is stored locally. So everyone can modify it, you
> can't rely on it.
> > It's really easy to do so with the Database panel
> in the Web  
> > Inspector.
> >
> > Anthony.
> >
> > Le 3 oct. 08 à 02:45, Loll a écrit :
> >
> >> Hi,
> >>
> >> Im not sure if this is the right place to ask this
> or not, so im  
> >> sorry
> >> in advance if it is.
> >>
> >> I am interested in the database Storage that is
> now available through
> >> webkit and had a few questions about it.
> >>
> >> My main point of interest is in the security of
> it. Right now, the
> >> website I develop uses PHP and information is
> stored using PHP
> >> sessions. From a servers point of view I can see a
> lot of advantages
> >> of storing such data locally. For one thing , its
> lot less reads and
> >> writes to the server, making it a bit faster I
> would expect.
> >>
> >> But how secure is the data? is it secure enough to
> reliably put such
> >> info on a clients system? Im not talking about
> bank data here, but I
> >> am looking at data that I would not want to be
> altered or viewed in
> >> its raw format all the same.
> >>
> >> Is it safe to assume that no one is going to get
> into it , any more
> >> than its safe to assume that no one is going to
> hijack a PHP Session
> >> to gain access to the same data?
> >>
> >> Anyway I just wondered if was a good idea to think
> about moving in  
> >> the
> >> direction of local storage vs server storage and
> what level of data
> >> should be safely stored that way, vs what
> shouldn't be stored that
> >> way.
> >>
> >> Thanks
> >>
> >> Loll
> >> _______________________________________________
> >> webkit-dev mailing list
> >> webkit-dev at lists.webkit.org
> >>
> http://lists.webkit.org/mailman/listinfo.cgi/webkit-dev
> >
> > _______________________________________________
> > webkit-dev mailing list
> > webkit-dev at lists.webkit.org
> >
> http://lists.webkit.org/mailman/listinfo.cgi/webkit-dev
> 
> _______________________________________________
> webkit-dev mailing list
> webkit-dev at lists.webkit.org
> http://lists.webkit.org/mailman/listinfo.cgi/webkit-dev

More information about the webkit-dev mailing list