<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:st1="urn:schemas-microsoft-com:office:smarttags" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 11 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]--><o:SmartTagType
namespaceuri="urn:schemas-microsoft-com:office:smarttags" name="PersonName"/>
<!--[if !mso]>
<style>
st1\:*{behavior:url(#default#ieooui) }
</style>
<![endif]-->
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:blue;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:Arial;
color:navy;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
{page:Section1;}
-->
</style>
</head>
<body lang=EN-US link=blue vlink=blue>
<div class=Section1>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>I’m also not keen on UA sniffing for
the determination of features, which is why I mentioned using
localStorage.setItem.length to determine if the TTL parameter is valid for the
browser. <o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>IMO, it’s fine not to delete the
data while the page is loaded, but I would like to ensure that the data isn’t
able to be read if the expiration time is reached during the page lifecycle. <o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>And I totally agree, this is not a strong
security feature, and that’s not the intent. The intent is just to give
an extra measure of control of the lifetime of the data to bring Web Storage
closer to being a replacement for a wider range of functionality that currently
uses cookies.<o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>
<div>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>-Nicholas</span></font><font color=navy><span
style='color:navy'><o:p></o:p></span></font></p>
<p class=MsoNormal><font size=3 color=navy face="Times New Roman"><span
style='font-size:12.0pt;color:navy'> <o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>______________________________________________</span></font><font
color=navy><span style='color:navy'><o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>Commander Lock: "Dammit Morpheus, not
everyone believes what you believe!"</span></font><font color=navy><span
style='color:navy'><o:p></o:p></span></font></p>
<p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size:
10.0pt;font-family:Arial;color:navy'>Morpheus: "My beliefs do not require
them to."</span></font><o:p></o:p></p>
</div>
<div>
<div class=MsoNormal align=center style='text-align:center'><font size=3
face="Times New Roman"><span style='font-size:12.0pt'>
<hr size=2 width="100%" align=center tabindex=-1>
</span></font></div>
<p class=MsoNormal><b><font size=2 face=Tahoma><span style='font-size:10.0pt;
font-family:Tahoma;font-weight:bold'>From:</span></font></b><font size=2
face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma'>
whatwg-bounces@lists.whatwg.org [mailto:whatwg-bounces@lists.whatwg.org] <b><span
style='font-weight:bold'>On Behalf Of </span></b>Jeremy Orlow<br>
<b><span style='font-weight:bold'>Sent:</span></b> Friday, July 30, 2010 11:18
AM<br>
<b><span style='font-weight:bold'>To:</span></b> Alexandre Morgaut<br>
<b><span style='font-weight:bold'>Cc:</span></b> <st1:PersonName w:st="on">whatwg@lists.whatwg.org</st1:PersonName>;
<st1:PersonName w:st="on">Nicholas Zakas</st1:PersonName>; Jonas Sicking<br>
<b><span style='font-weight:bold'>Subject:</span></b> Re: [whatwg] Proposal for
Web Storage expiration</span></font><o:p></o:p></p>
</div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>On Fri, Jul 30, 2010 at 7:09 PM, Alexandre Morgaut <<a
href="mailto:Alexandre.Morgaut@4d.com">Alexandre.Morgaut@4d.com</a>> wrote:<o:p></o:p></span></font></p>
<div style='word-wrap:break-word'>
<div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><br>
<br>
<o:p></o:p></span></font></p>
<div>
<div>
<div>
<blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;
margin-left:4.8pt;margin-right:0in'>
<div style='word-wrap:break-word'>
<div>
<div>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>Storage::setExpiration(in DOMString key, in TTL or
expiration Date)</span></font><o:p></o:p></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt;
font-family:Arial'>(or Storage::setTTL() if you guys don't agree on the
Date option)</span></font><o:p></o:p></p>
</div>
</div>
</div>
</blockquote>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>This might make sense, but I'm also not sure it's worth the additional
API surface area. Plus I kind of like the idea of making it difficult for
people to detect whether the browser even supports expiration since we don't
people to ever assume they can count on it. (Since once again, what if
the user doesn't turn on their computer or the UA doesn't delete expired data
unless it's running?)<o:p></o:p></span></font></p>
</div>
</div>
</div>
</div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
</div>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>Well, as Nicholas said, the important thing is that the User-Agent
makes its best to remove the items ASAP once they expired.<o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>Sure some of these items could remain on disk while they expired until
the UA start again.<o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>This is absolutely not a strong security feature. <o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>The user still should be able to remove manually the storages content, or
disable access to the storage objects, from the User-Agent
menus/preferences.<o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>I'm not confortable into hiding User-Agent capabilities from the API.<o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>Smart people like John Resig recommend to check the available API
instead of looking after the User-Agent name and version to detect them, and I
kind of like this approach.<o:p></o:p></span></font></p>
</div>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>My point was that a programmer really shouldn't do anything differently
whether or not the API is available. But you're probably right that it'd
only push such an author towards user-agent sniffing which is of course worse.<o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>I just had another thought. Although I strongly feel that the
spec shouldn't guarantee when the data is deleted (and should
probably have some non-normative text explaining why) we could (if we wanted
to) guarantee that data won't be available to the page after that
time. (Of course subject to run to completion constraints--if the user
calls localStorage.length, we can't delete the item until they leave the
scripting context. Also there's a question of whether we'd fire
StorageEvents while something's timed out. Maybe we should just expire
stuff when navigating to a page and not while the page is running?)<o:p></o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'><o:p> </o:p></span></font></p>
</div>
<div>
<p class=MsoNormal><font size=3 face="Times New Roman"><span style='font-size:
12.0pt'>J<o:p></o:p></span></font></p>
</div>
</div>
</div>
</body>
</html>