Bug 34294 - Initialize DOM Storage's quota's current length parameter when we clone it.
Summary: Initialize DOM Storage's quota's current length parameter when we clone it.
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: DOM (show other bugs)
Version: 528+ (Nightly build)
Hardware: Other OS X 10.5
: P2 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2010-01-28 17:17 PST by Jeremy Orlow
Modified: 2010-02-01 11:36 PST (History)
2 users (show)

See Also:


Attachments
Patch (1014 bytes, patch)
2010-01-28 17:20 PST, Jeremy Orlow
abarth: review+
Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Jeremy Orlow 2010-01-28 17:17:59 PST
Initialize DOM Storage's quota's current length parameter when we clone it.
Comment 1 Jeremy Orlow 2010-01-28 17:20:11 PST
Created attachment 47661 [details]
Patch
Comment 2 Adam Barth 2010-01-28 17:23:10 PST
Comment on attachment 47661 [details]
Patch

Ok....  I wish this had a test, but you said in IRC that you couldn't write one that actually worked.
Comment 3 Adam Barth 2010-01-28 17:25:40 PST
Jeremy said this might be a security issue.  Marking security sensitive to be safe.
Comment 4 Jeremy Orlow 2010-01-28 17:40:37 PST
I've looked closer and now I'm pretty sure this is not a security issue.

Background:
LocalStorage has quotas and is shared by all tabs.  SessionStorage does not have quotas and is a per-tab storage.  When you create a new window, we clone the session storage.  We store the amount of quota space currently used in m_currentLength and update it on any mutations.

The current length is supposed to be copied when we clone the StorageMap but it was not.  Cloning should only ever happen for SessionStorage which has no quota (because it never touches disk and there are much better ways to fill up your memory in the browser).  In addition, it's a little far-fetched to think that a site could keep opening up more windows despite popup blockers, users noticing, etc.

Thus I think this isn't actually a security issue.  Sorry for jumping the gun!
Comment 5 Jeremy Orlow 2010-01-28 17:59:28 PST
Landed in 54035.
Comment 6 David Kilzer (:ddkilzer) 2010-02-01 11:35:33 PST
Removing the security bit per Comment #4.