Specify behaviour for sessionStorage with opaque origins #3283
Comments
|
Oh, interesting! I was in that area of the spec recently and I thought this difference was intentional because sessionStorage is not as persistent. But it sounds like either it was an unintentional mistake, or all browsers missed this difference while implementing. We should fix the spec; even if it is a reasonable and safe to allow sessionStorage, it's not worth the churn on browsers to add a "feature" that is so esoteric. |
annevk
added
interop
|
FWIW, prompted by https://bugs.chromium.org/p/chromium/issues/detail?id=677733 I did a pass. Safari 12, Firefox 66, Edge 18 and Chrome 73 all throw on access to Good first PR? |
|
Yeah, not a trivial one since it involves a bit of monkeying with existing text, but not so bad. The goal is to turn the paragraph
into a series of three steps: the first two more or less copied from https://html.spec.whatwg.org/multipage/webstorage.html#storage-object-initialisation-steps, and the third containing the existing contents of the paragraph. You can model it after https://html.spec.whatwg.org/multipage/webstorage.html#storage-object-initialisation-steps , but we probably don't need a separate definition for "Storage object initialization steps" or similar. |
domenic
added
the
good first issue
Use the new primitives in the Storage Standard. Closes whatwg#3209, closes whatwg#3210, closes whatwg#3283, closes whatwg#4650, closes whatwg#5463, and closes whatwg#5498.
whatwg/html#3283 was resolved to change the spec to not allow access to session storage in opaque origins, matching our implementation. Bug: 677733 Change-Id: I23da98f166f0845312a0c8ec386d84ac2e3c74f3 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2579023 Commit-Queue: Marijn Kruisselbrink <mek@chromium.org> Commit-Queue: Tom Sepez <tsepez@chromium.org> Auto-Submit: Marijn Kruisselbrink <mek@chromium.org> Reviewed-by: Tom Sepez <tsepez@chromium.org> Cr-Commit-Position: refs/heads/master@{#834818} GitOrigin-RevId: 0aaf444242e608b9234ebb9dd1244ace3ed0f141
The specification for the
localStorageattribute currently includes a set of "Storage object initialization steps". Among them is a step for throwing aSecurityErrorif the Document's origin is an opaque origin.The
sessionStorageattribute does not include similar steps at the moment. When I attempt to accesswindow.sessionStorageonabout:blankin Chrome and Safari, they throw a SecurityError much like forlocalStorage. Firefox throws an internal error (NS_ERROR_NOT_AVAILABLE), while I'm not able to test in Edge.The
sessionStorageattribute should presumably also include a set of "Storage object initalization steps" and behave the same way aslocalStoragefor opaque origins.The text was updated successfully, but these errors were encountered: