Bug 34294

Summary: Initialize DOM Storage's quota's current length parameter when we clone it.
Product: WebKit Reporter: Jeremy Orlow <jorlow>
Component: DOMAssignee: Nobody <webkit-unassigned>
Severity: Normal CC: abarth, ddkilzer
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Other   
OS: OS X 10.5   
Description Flags
Patch abarth: review+

Description Jeremy Orlow 2010-01-28 17:17:59 PST
Initialize DOM Storage's quota's current length parameter when we clone it.
Comment 1 Jeremy Orlow 2010-01-28 17:20:11 PST
Created attachment 47661 [details]
Comment 2 Adam Barth 2010-01-28 17:23:10 PST
Comment on attachment 47661 [details]

Ok....  I wish this had a test, but you said in IRC that you couldn't write one that actually worked.
Comment 3 Adam Barth 2010-01-28 17:25:40 PST
Jeremy said this might be a security issue.  Marking security sensitive to be safe.
Comment 4 Jeremy Orlow 2010-01-28 17:40:37 PST
I've looked closer and now I'm pretty sure this is not a security issue.

LocalStorage has quotas and is shared by all tabs.  SessionStorage does not have quotas and is a per-tab storage.  When you create a new window, we clone the session storage.  We store the amount of quota space currently used in m_currentLength and update it on any mutations.

The current length is supposed to be copied when we clone the StorageMap but it was not.  Cloning should only ever happen for SessionStorage which has no quota (because it never touches disk and there are much better ways to fill up your memory in the browser).  In addition, it's a little far-fetched to think that a site could keep opening up more windows despite popup blockers, users noticing, etc.

Thus I think this isn't actually a security issue.  Sorry for jumping the gun!
Comment 5 Jeremy Orlow 2010-01-28 17:59:28 PST
Landed in 54035.
Comment 6 David Kilzer (:ddkilzer) 2010-02-01 11:35:33 PST
Removing the security bit per Comment #4.