This is an archived snapshot of W3C's public bugzilla bug tracker, decommissioned in April 2019. Please see the home page for more details.
Section 7.1 on DNS spoofing attacks states: "Pages using TLS can be sure that only pages using TLS that have certificates identifying them as being from the same domain can access their storage areas." We could add "This protects against DNS spoofing attacks which do not involve the user. However, if the user is involved in the attack this protection can be circumvented by the user installing root certificates for fake certification authorities and then creating site certificates to be used in conjunction with DNS spoofing. Therefore a web page author cannot be sure that the information stored in web storage has not been viewed or modified by or on behalf of the user." i.e. page authors should be aware that even with TLS information inside web storage can be viewed and modified by or on behalf of the user.
How is this different from the user just manually editing the storage areas on disk, or a malicious program installed on their computer doing that? The client is always untrusted. The only guarantees we can even try to provide are against network attacks, e.g., an attacker who gets the user to visit a malicious webpage. That should be safe as long as the client isn't compromised.
(In reply to comment #1) > How is this different from the user just manually editing the storage areas on > disk, or a malicious program installed on their computer doing that? The > client is always untrusted. The only guarantees we can even try to provide are > against network attacks, e.g., an attacker who gets the user to visit a > malicious webpage. That should be safe as long as the client isn't > compromised. You're right, but the existing text suggested to me that using TLS provided some assurance *for the web page* that the information was safe from attack. In fact it provides this assurance only in respect of certain kinds of attack. Perhaps that is implicit and doesn't need to be called out ?
Yes, maybe it would be worth explicitly calling out (if it hasn't been already) that anyone with access to the user's computer has full access to website storage. Some people seem to get confused about that and think that some type of magical encryption should be used that only lets the site itself access it, somehow.
I've tweaked the text.
Checked in as WHATWG revision r6169. Check-in comment: Don't overpromise in security sections... http://html5.org/tools/web-apps-tracker?from=6168&to=6169