[webkit-dev] SessionStorage being serialized to disk

[Adam Barth]

I don't see a security problem with writing sessionStorage to disk.
Site already aren't guaranteed that their memory won't be paged out to
disk.

Adam


On Tue, May 12, 2009 at 3:50 PM, Jeremy Orlow <jorlow at chromium.org> wrote:
> Is anyone here dead set against window.sessionStorage ever being written out
> to disk (in an unencrypted form)?
> Session storage needs to be stored for the life of the Page class since the
> user can always navigate back to a site or hit the back button.  This means
> that a very long lived tab could start wasting a lot of memory in a world
> where session storage is commonly used.
> The only reason I've heard against writing session storage to disk is
> security.  For example, a web site storing some security token client side.
>  Unfortunately, you never know when your memory is going to get paged to
> disk, so if we're serious about keeping session storage secure, we'd need to
> address that--at least for sites using HTTPS.
> The spec itself doesn't explicitly say either way.  It does suggest that the
> lifetime of a browsing context (and thus session storage) is not necessarily
> connected to the lifetime of a browsing process.  Since some crash recovery
> implementations work by serializing the browsers state to disk, the spec
> seems to be suggesting that it _can_ be written to disk, but I'm not aware
> of any browsers actually doing this yet.
> If we did feel strongly about making security guarantees for session
> storage, we should probably suggest on WhatWG that it be guaranteed by the
> spec.
> J
> _______________________________________________
> webkit-dev mailing list
> webkit-dev at lists.webkit.org
> http://lists.webkit.org/mailman/listinfo.cgi/webkit-dev
>
>