Gmail finally provided “offline” mode via Google Gears. So when Gears is enabled you can access your Gmail from your browser any time… even when you’re not online! Ok so that’s cool… but where does it store the data and is the data secure?
When a website attempts to interact with a gears datastore it uses uses the same origin policy as its underlying security model. In a nutshell, the policy permits scripts running on pages originating from the same site to access each other’s methods and properties with no specific restrictions — but prevents access to most methods and properties across pages on different sites. This means that a web page with a particular scheme, host, and port can only access resources with the same scheme, host, and port.
This means a site using Gears:
- Database: Can only open databases created for that site’s origin.
- LocalServer: Can only capture URLs and use manifests from the site’s origin.
The data is stored locally using a SQLite database. The downer is that your data within this database is NOT encrypted. Gears data files are protected with the user’s operating system login credentials. Users with separate login names cannot access each other’s Gears data files… but this is only enforced by the operating system.
If two users are sharing the same login to the operating system they could theoretically access each other’s Gears data files, just as they could access any other file on the machine.