Bug 45304 - localStorage cross-domain sandbox with http / https urls
Summary: localStorage cross-domain sandbox with http / https urls
Status: RESOLVED WONTFIX
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebCore Misc. (show other bugs)
Version: 528+ (Nightly build)
Hardware: Mac (Intel) OS X 10.6
: P2 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2010-09-07 09:43 PDT by Mark Beeson
Modified: 2010-09-08 14:57 PDT (History)
3 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Mark Beeson 2010-09-07 09:43:01 PDT 
Currently, window.localStorage.getItem(key) returns values of keys when browsing http://example.com -- however, going to https://example.com gives a cross-domain exception and the browser can't see keys that have been set on http://example.com .

In theory, this should work the same as cookies; non-secure cookies are able to be read on SSL-enabled pages, but not vice-versa.  Similarly, non-secure key/value pairs should be able to be read (and modified) on SSL-enabled pages.
Comment 1 Alexey Proskuryakov 2010-09-08 13:14:32 PDT 
From a cursory glance at the spec, this is working as expected. Cookie same origin security model is different from what most other Web platform features have, and it's normal that http and https are considered completely unrelated origins.
Comment 2 Mark Beeson 2010-09-08 13:33:37 PDT 
From the letter of the spec, I would agree with you -- port 443 is different than port 80. However, this makes an implementation of localStorage on applications which need to switch between http and https pages (say, for authentication, purchasing, etc etc) nearly impossible.
Comment 3 Adam Barth 2010-09-08 14:57:56 PDT 
The cookie security model is wrong and shouldn't be copied by new web platform features.  Our current behavior is correct.