Bug 45304
Summary: | localStorage cross-domain sandbox with http / https urls | ||
---|---|---|---|
Product: | WebKit | Reporter: | Mark Beeson <spam-webkit> |
Component: | WebCore Misc. | Assignee: | Nobody <webkit-unassigned> |
Status: | RESOLVED WONTFIX | ||
Severity: | Normal | CC: | abarth, ap, spam-webkit |
Priority: | P2 | ||
Version: | 528+ (Nightly build) | ||
Hardware: | Mac (Intel) | ||
OS: | OS X 10.6 |
Mark Beeson
Currently, window.localStorage.getItem(key) returns values of keys when browsing http://example.com -- however, going to https://example.com gives a cross-domain exception and the browser can't see keys that have been set on http://example.com .
In theory, this should work the same as cookies; non-secure cookies are able to be read on SSL-enabled pages, but not vice-versa. Similarly, non-secure key/value pairs should be able to be read (and modified) on SSL-enabled pages.
Attachments | ||
---|---|---|
Add attachment proposed patch, testcase, etc. |
Alexey Proskuryakov
From a cursory glance at the spec, this is working as expected. Cookie same origin security model is different from what most other Web platform features have, and it's normal that http and https are considered completely unrelated origins.
Mark Beeson
From the letter of the spec, I would agree with you -- port 443 is different than port 80. However, this makes an implementation of localStorage on applications which need to switch between http and https pages (say, for authentication, purchasing, etc etc) nearly impossible.
Adam Barth
The cookie security model is wrong and shouldn't be copied by new web platform features. Our current behavior is correct.