RESOLVED WONTFIX 45304
localStorage cross-domain sandbox with http / https urls 
https://bugs.webkit.org/show_bug.cgi?id=45304
Summary localStorage cross-domain sandbox with http / https urls
Mark Beeson
Reported 2010-09-07 09:43:01 PDT
Currently, window.localStorage.getItem(key) returns values of keys when browsing http://example.com -- however, going to https://example.com gives a cross-domain exception and the browser can't see keys that have been set on http://example.com . In theory, this should work the same as cookies; non-secure cookies are able to be read on SSL-enabled pages, but not vice-versa. Similarly, non-secure key/value pairs should be able to be read (and modified) on SSL-enabled pages.
Attachments
Add attachment proposed patch, testcase, etc.
Alexey Proskuryakov
Comment 1 2010-09-08 13:14:32 PDT
From a cursory glance at the spec, this is working as expected. Cookie same origin security model is different from what most other Web platform features have, and it's normal that http and https are considered completely unrelated origins.
Mark Beeson
Comment 2 2010-09-08 13:33:37 PDT
From the letter of the spec, I would agree with you -- port 443 is different than port 80. However, this makes an implementation of localStorage on applications which need to switch between http and https pages (say, for authentication, purchasing, etc etc) nearly impossible.
Adam Barth
Comment 3 2010-09-08 14:57:56 PDT
The cookie security model is wrong and shouldn't be copied by new web platform features. Our current behavior is correct.
Note You need to log in before you can comment on or make changes to this bug.