Tuesday, May 13th, 2008
Sometimes it is interesting to see that knowledge from the 10,000 B.C. period of web development can be used in new ways to create – to play it safely – interesting ideas.
Each window in a browser has a
name property which became pretty much useless when we stopped using pop-up windows and tried to make them communicate with each other by name.
Thomas Frank, however wrote a small library that uses
window.name to store session variables without having to resort to cookies and his research seems to prove that you can store up to two megabytes of data in
window.name. As this property is available across page reloads it is a sort of session, but as the comments show the security aspects of it are just scary:
There is a cross domain flag in
sessvars, but although it defaults to
false, this just sees to that you don’t get any other sites
window.namegarbage inside your
sessvarsby mistake. The actual data you set will be available for other scripts on other domains to look at â€“ and also to anyone able to type
Posted by Chris Heilmann at 10:06 am