[Webkit-unassigned] [Bug 63257] When blocking localStorage, Firefox throws a security exception on access, and maybe so should we
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Sep 14 11:34:38 PDT 2012
https://bugs.webkit.org/show_bug.cgi?id=63257
--- Comment #26 from Brady Eidson <beidson at apple.com> 2012-09-14 11:35:04 PST ---
(In reply to comment #25)
> (In reply to comment #24)
> > (In reply to comment #17)
> > > Created an attachment (id=164084)
--> (https://bugs.webkit.org/attachment.cgi?id=164084&action=review) [details] [details] [details]
> > > Another round - still chromium only complete
> > >
> > > Okay, I've taken the above comments into consideration, and done the following:
> > >...
> > > * introduced a canAccessStorage method which in the default implementation just checks for a detached frame. I'm not sure if this actually correct as I need to check what Firefox does here.
> >
> > Jeffrey Pfau (cc'ed) is adding a "3rd party storage blocking" feature that allows Webkit to block any 3rd party script from accessing any storage technologies.
> >
> > I think this canAccessStorage method should also check whether the access is disqualified based on 3rd party storage blocking.
>
> There is already the following check in DOMWindow::localStorage and ::sessionStorage accessors:
>
> document->securityOrigin()->canAccessLocalStorage()
>
> I believe that checks for third party accesses and throws the exception. I can try to add it to the canAccessStorage, but that would be potentially expensive...
I didn't mean to recommend a specific implementation detail so much as to make sure the feature worked reasonably with this change. If it already works, then that's great.
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list