WWDC Keynote: HTML5 wide open for On-Rev & revServer

Alex Tweedly alex at tweedly.net
Sat Jun 12 19:07:02 CDT 2010


I guess I'm missing something here .....

It seems that if I write a Rodeo app and it uses HTML5 local storage, 
then there is a secuity issue because other Rodeo apps on the same 
server might be able to access the user's data when stored locally on 
his machine.

But today I generally write desktop apps. The user's data is stored on 
(usually) his local disk. And any other desktop app he chooses to 
install can access that data. What's so different ?

-- Alex.

On 08/06/2010 18:10, Mike Bonner wrote:
> Actually, I believe the following (from the provided link) is what is
> being referred to:
>
> 7.2 Cross-directory attacks
>
> Different authors sharing one host name, for example users hosting
> content on geocities.com, all share one local storage object. There is
> no feature to restrict the access by pathname. Authors on shared hosts
> are therefore recommended to avoid using these features, as it would
> be trivial for other authors to read the data and overwrite it.
>
> Even if a path-restriction feature was made available, the usual DOM
> scripting security model would make it trivial to bypass this
> protection and access the data from any path.
>
> On Tue, Jun 8, 2010 at 10:36 AM, Jerry Daniels<jerry.daniels at me.com>  wrote:
>    
>> Not so. No.
>>
>> Each developer has own space. If developer INVITES someone in...as a
>> teammate, then they share.
>>
>> Vampire rules. Need an invite to join another developer.
>>
>> Best,
>>
>> Jerry Daniels
>>
>> Follow the Rodeo discussion:
>> http://rodeoapps.com/rodeo-discuss-among-yourselves
>>
>>
>>
>> On Jun 8, 2010, at 11:19 AM, Robert Mann wrote:
>>
>>      
>>> For Rodéo apps, if each user shares a space on a common shared server,
>>> than
>>> all the local datas of user X are accessible to all different rodeo apps,
>>> So
>>> far I understood. Not reassuring!
>>>        
>> _______________________________________________
>> use-revolution mailing list
>> use-revolution at lists.runrev.com
>> Please visit this url to subscribe, unsubscribe and manage your subscription
>> preferences:
>> http://lists.runrev.com/mailman/listinfo/use-revolution
>>
>>      
> _______________________________________________
> use-revolution mailing list
> use-revolution at lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-revolution
>
>    




More information about the use-livecode mailing list