Skip to content

Commit

Permalink
Support Storage Partitioning (#383)
Browse files Browse the repository at this point in the history
Mostly a "find and replace" of "origin" with "storage key" right now. 

More detailed integration will is being worked on in #334

Co-authored-by: Joshua Bell <[email protected]>
  • Loading branch information
arichiv and inexorabletash authored Jun 8, 2022
1 parent e196c63 commit 513352e
Showing 1 changed file with 28 additions and 33 deletions.
61 changes: 28 additions & 33 deletions index.bs
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,7 @@ spec: ecma262; urlPrefix: https://tc39.github.io/ecma262/
spec: storage; urlPrefix: https://storage.spec.whatwg.org/
type: dfn
text: storage bucket; url: storage-bucket
text: storage key; url: storage-key
</pre>

<style>
Expand Down Expand Up @@ -416,14 +417,14 @@ To <dfn>create a sorted name list</dfn> from a [=/list=] |names|, run these step
## Database ## {#database-construct}
<!-- ============================================================ -->

Each [=/origin=] has an associated set of [=databases=]. A
Each [=/storage key=] has an associated set of [=databases=]. A
<dfn>database</dfn> has zero or more [=/object stores=] which
hold the data stored in the database.

<div dfn-for=database>

A [=database=] has a <dfn>name</dfn> which identifies it within a
specific [=/origin=]. The name is a [=/name=],
specific [=/storage key=]. The name is a [=/name=],
and stays constant for the lifetime of the database.

A [=database=] has a <dfn>version</dfn>. When a database is first
Expand Down Expand Up @@ -455,7 +456,7 @@ There may be multiple [=/connections=] to a given [=database=] at
any given time.

A [=/connection=] can only access [=databases=] associated with the
[=/origin=] of the global scope from which the [=/connection=] is
[=/storage key=] of the global scope from which the [=/connection=] is
opened.

<aside class=note>
Expand Down Expand Up @@ -487,7 +488,7 @@ it hasn't already been.

A [=/connection=] may be closed by a user agent in exceptional
circumstances, for example due to loss of access to the file system, a
permission change, or clearing of the origin's storage. If this occurs
permission change, or clearing of the [=/storage key=]'s storage. If this occurs
the user agent must run [=close a database
connection=] with the [=/connection=] and with the <var ignore>forced flag</var> set to true.

Expand Down Expand Up @@ -1284,7 +1285,7 @@ An [=open request=]'s [=get the parent=] algorithm returns null.

[=Open requests=] are processed in a <dfn>connection queue</dfn>.
The queue contains all [=open requests=] associated with an
[=/origin=] and a [=database/name=]. Requests added to the
[=/storage key=] and a [=database/name=]. Requests added to the
[=connection queue=] processed in order and each request must run
to completion before the next request is processed. An open request
may be blocked on other [=/connections=], requiring those
Expand Down Expand Up @@ -2200,7 +2201,7 @@ dictionary IDBDatabaseInfo {
: |result| = await indexedDB . {{IDBFactory/databases()|databases}}()
::
Returns a promise which resolves to a list of objects giving a snapshot
of the names and versions of databases within the origin.
of the names and versions of databases within the [=/storage key=].

This API is intended for web applications to introspect the use of databases,
for example to clean up from earlier versions of a site's code. Note that
Expand All @@ -2217,17 +2218,15 @@ The <dfn method for=IDBFactory>open(|name|, |version|)</dfn> method steps are:

1. Let |environment| be [=/this=]'s [=/relevant settings object=].

1. Let |origin| be |environment|'s [=environment settings object/origin=].

1. If |origin| is an [=opaque origin=], [=throw=] a
"{{SecurityError}}" {{DOMException}} and abort these steps.
1. Let |storageKey| be the result of running [=obtain a storage key=] given |environment|.
If failure is returned, then [=throw=] a "{{SecurityError}}" {{DOMException}} and abort these steps.

1. Let |request| be a new [=open request=].

1. Run these steps [=in parallel=]:

1. Let |result| be the result of
[=/opening a database=], with |origin|,
[=/opening a database=], with |storageKey|,
|name|, |version| if given and undefined
otherwise, and |request|.

Expand Down Expand Up @@ -2288,17 +2287,15 @@ The <dfn method for=IDBFactory>deleteDatabase(|name|)</dfn> method steps are:

1. Let |environment| be [=/this=]'s [=/relevant settings object=].

1. Let |origin| be |environment|'s [=environment settings object/origin=].

1. If |origin| is an [=opaque origin=], [=throw=] a
"{{SecurityError}}" {{DOMException}} and abort these steps.
1. Let |storageKey| be the result of running [=obtain a storage key=] given |environment|.
If failure is returned, then [=throw=] a "{{SecurityError}}" {{DOMException}} and abort these steps.

1. Let |request| be a new [=open request=].

1. Run these steps [=in parallel=]:

1. Let |result| be the result of
[=/deleting a database=], with |origin|,
[=/deleting a database=], with |storageKey|,
|name|, and |request|.

1. Set |request|'s [=request/processed flag=] to true.
Expand Down Expand Up @@ -2344,16 +2341,14 @@ The <dfn method for=IDBFactory>databases()</dfn> method steps are:

1. Let |environment| be [=/this=]'s [=/relevant settings object=].

1. Let |origin| be |environment|'s [=environment settings object/origin=].

1. If |origin| is an [=opaque origin=],
then return [=/a promise rejected with=] a "{{SecurityError}}" {{DOMException}}.
1. Let |storageKey| be the result of running [=obtain a storage key=] given |environment|.
If failure is returned, then return [=/a promise rejected with=] a "{{SecurityError}}" {{DOMException}}

1. Let |p| be [=/a new promise=].

1. Run these steps [=in parallel=]:

1. Let |databases| be the [=/set=] of [=databases=] in |origin|.
1. Let |databases| be the [=/set=] of [=databases=] in |storageKey|.
If this cannot be determined for any reason, then [=/reject=] |p| with
an appropriate error (e.g. an "{{UnknownError}}" {{DOMException}})
and terminate these steps.
Expand Down Expand Up @@ -4964,16 +4959,16 @@ The <dfn attribute for=IDBTransaction>onerror</dfn> attribute is an [=/event han

<div algorithm>

To <dfn>open a database</dfn> with |origin| which requested the [=database=] to be opened, a database |name|, a database |version|, and a |request|, run these steps:
To <dfn>open a database</dfn> with |storageKey| which requested the [=database=] to be opened, a database |name|, a database |version|, and a |request|, run these steps:

1. Let |queue| be the [=connection queue=] for |origin| and |name|.
1. Let |queue| be the [=connection queue=] for |storageKey| and |name|.

1. Add |request| to |queue|.

1. Wait until all previous requests in |queue| have been processed.

1. Let |db| be the [=database=] [=database/named=] |name| in
|origin|, or null otherwise.
|storageKey|, or null otherwise.

1. If |version| is undefined, let |version| be 1 if |db| is null, or
|db|'s [=database/version=] otherwise.
Expand Down Expand Up @@ -5060,7 +5055,7 @@ optional |forced flag|, run these steps:

<aside class=note>
The <a event>`close`</a> event only fires if the connection closes
abnormally, e.g. if the origin's storage is cleared, or there is
abnormally, e.g. if the [=/storage key=]'s storage is cleared, or there is
corruption or an I/O error. If {{IDBDatabase/close()}} is called explicitly
the event *does not* fire.
</aside>
Expand Down Expand Up @@ -5089,18 +5084,18 @@ optional |forced flag|, run these steps:

<div algorithm>

To <dfn>delete a database</dfn> with the |origin| that
To <dfn>delete a database</dfn> with the |storageKey| that
requested the [=database=] to be deleted, a database |name|, and a
|request|, run these steps:

1. Let |queue| be the [=connection queue=] for |origin| and |name|.
1. Let |queue| be the [=connection queue=] for |storageKey| and |name|.

1. Add |request| to |queue|.

1. Wait until all previous requests in |queue| have been processed.

1. Let |db| be the [=database=] [=database/named=] |name| in
|origin|, if one exists. Otherwise, return 0 (zero).
|storageKey|, if one exists. Otherwise, return 0 (zero).

1. Let |openConnections| be the [=/set=] of all [=/connections=]
associated with |db|.
Expand Down Expand Up @@ -6606,10 +6601,10 @@ of user tracking:
User agents may require the user to authorize access to databases
before a site can use the feature.

: Origin-tracking of stored data
: Attribution of third-party storage
::
User agents may record the [=/origins=] of sites that contained content
from third-party origins that caused data to be stored.
from third-party [=/origins=] that caused data to be stored.

If this information is then used to present the view of data
currently in persistent storage, it would allow the user to make
Expand Down Expand Up @@ -6717,12 +6712,12 @@ user's wish list; or a hostile site could set a user's session
identifier to a known ID that the hostile site can then use to track
the user's actions on the victim site.

Thus, strictly following the <span>origin</span> model described in
Thus, strictly following the storage key partitioning model described in
this specification is important for user security.

If origins or database names are used to construct paths for
If host names or database names are used to construct paths for
persistence to a file system they must be appropriately escaped to
prevent an adversary from accessing information from other origins
prevent an adversary from accessing information from other [=/storage keys=]
using relative paths such as "`../`".

## Persistence risks ## {#persistence-risks}
Expand Down

0 comments on commit 513352e

Please sign in to comment.