Re: W3C Specs: Web SQL

On 11/8/2010 7:55 AM, Alvaro Herrera wrote:
> Excerpts from Charles Pritchard's message of sáb nov 06 23:20:13 -0300 2010:
>
>> Simple async sql sub-set (the spec in trouble):
>> http://dev.w3.org/html5/webdatabase/
> This is insane.  This spec allows the server to run arbitrary SQL
> commands on the client, AFAICT.  That seems like infinite joy for
> malicious people running webservers.  The more powerful the dialect of
> SQL the client implements, the more dangerous it is.

Because of a lack of "interested implementers", the spec does not put 
forward a standard dialect/subset. It simply uses Sqlite.

Obviously, access should be restricted per the security section: a given 
domain may only run commands that modify its own database.

Remember, this is client-side, in respect to "implementations". Each 
domain (origin) would behave as its own unique user with its own unique 
database (or namespace).
That said, there are a few Server side JS apps around, and they're 
certainly more agile than browser vendors: the "openDatabase" command 
does not encompass
credentials for multi-user situations in SSJS [again, because it's glued 
to the origin, on client-side].

With postgres current security options, I don't see that being a 
difficult issue.