Bug 34294

Summary: Initialize DOM Storage's quota's current length parameter when we clone it.
Product: WebKit Reporter: Jeremy Orlow <jorlow>
Component: DOMAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: abarth, ddkilzer
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Other   
OS: OS X 10.5   
Attachments:
Description Flags
Patch abarth: review+

Jeremy Orlow
Reported 2010-01-28 17:17:59 PST
Initialize DOM Storage's quota's current length parameter when we clone it.
Attachments
Patch (1014 bytes, patch)
2010-01-28 17:20 PST, Jeremy Orlow 		abarth: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Jeremy Orlow
Comment 1 2010-01-28 17:20:11 PST
Created attachment 47661 [details] Patch
Adam Barth
Comment 2 2010-01-28 17:23:10 PST
Comment on attachment 47661 [details] Patch Ok.... I wish this had a test, but you said in IRC that you couldn't write one that actually worked.
Adam Barth
Comment 3 2010-01-28 17:25:40 PST
Jeremy said this might be a security issue. Marking security sensitive to be safe.
Jeremy Orlow
Comment 4 2010-01-28 17:40:37 PST
I've looked closer and now I'm pretty sure this is not a security issue. Background: LocalStorage has quotas and is shared by all tabs. SessionStorage does not have quotas and is a per-tab storage. When you create a new window, we clone the session storage. We store the amount of quota space currently used in m_currentLength and update it on any mutations. The current length is supposed to be copied when we clone the StorageMap but it was not. Cloning should only ever happen for SessionStorage which has no quota (because it never touches disk and there are much better ways to fill up your memory in the browser). In addition, it's a little far-fetched to think that a site could keep opening up more windows despite popup blockers, users noticing, etc. Thus I think this isn't actually a security issue. Sorry for jumping the gun!
Jeremy Orlow
Comment 5 2010-01-28 17:59:28 PST
Landed in 54035.
David Kilzer (:ddkilzer)
Comment 6 2010-02-01 11:35:33 PST
Removing the security bit per Comment #4.
Note You need to log in before you can comment on or make changes to this bug.