On Mon, Aug 6, 2012 at 5:08 PM, Ian Melven <imel...@mozilla.com> wrote: > the spec at > http://www.whatwg.org/specs/web-apps/current-work/multipage/origin-0.html#sandboxed-origin-browsing-context-flag > says : > > "This flag also prevents script from reading from or writing to the > document.cookie IDL attribute, and blocks access to localStorage." > > it seems that indexedDB access should also be blocked when this flag is set > (ie when 'allow-same-origin' is NOT specified for the sandbox attribute).
Yes. I think this is actually a consequence of having a unique origin and doesn't need to be stated explicitly in the spec. (Although we might want to state it explicitly for the avoidance of doubt.) The reason document.cookie needs to called out explicitly is that it doesn't use the document's origin to determine which cookies to access: it uses the document's URL. We need to do that because cookie ignore the port but do care about the path part of the document's URL. (The better pattern for new API is to use the origin, which is what IndexedDB does.) > i intend to implement this restriction in Gecko, feedback from other > implementors is welcome :) Great. Adam
