[html5] r1544 - /
whatwg at whatwg.org
whatwg at whatwg.org
Tue May 6 21:03:41 PDT 2008
Author: ianh
Date: 2008-05-06 21:03:40 -0700 (Tue, 06 May 2008)
New Revision: 1544
Modified:
index
source
Log:
[e] (0) Merge the name/value pair storage and SQL storage sections into one section with a common privacy and security bit, and other editorial fixes.
Modified: index
===================================================================
--- index 2008-05-07 03:27:23 UTC (rev 1543)
+++ index 2008-05-07 04:03:40 UTC (rev 1544)
@@ -1214,192 +1214,190 @@
</span>Content-Type metadata</a>
</ul>
- <li><a href="#storage"><span class=secno>4.11 </span>Client-side session
- and persistent storage of name/value pairs</a>
+ <li><a href="#structured"><span class=secno>4.11 </span>Structured
+ client-side storage</a>
<ul class=toc>
- <li><a href="#introduction2"><span class=secno>4.11.1
- </span>Introduction</a>
+ <li><a href="#storage"><span class=secno>4.11.1 </span>Storing
+ name/value pairs</a>
+ <ul class=toc>
+ <li><a href="#introduction2"><span class=secno>4.11.1.1.
+ </span>Introduction</a>
- <li><a href="#the-storage"><span class=secno>4.11.2 </span>The
- <code>Storage</code> interface</a>
+ <li><a href="#the-storage"><span class=secno>4.11.1.2. </span>The
+ <code>Storage</code> interface</a>
- <li><a href="#the-sessionstorage"><span class=secno>4.11.3 </span>The
- <code title=dom-sessionStorage>sessionStorage</code> attribute</a>
+ <li><a href="#the-sessionstorage"><span class=secno>4.11.1.3.
+ </span>The <code title=dom-sessionStorage>sessionStorage</code>
+ attribute</a>
- <li><a href="#the-localstorage"><span class=secno>4.11.4 </span>The
- <code title=dom-localStorage>localStorage</code> attribute</a>
+ <li><a href="#the-localstorage"><span class=secno>4.11.1.4.
+ </span>The <code title=dom-localStorage>localStorage</code>
+ attribute</a>
- <li><a href="#the-storage0"><span class=secno>4.11.5 </span>The <code
- title=event-storage>storage</code> event</a>
- <ul class=toc>
- <li><a href="#event0"><span class=secno>4.11.5.1. </span>Event
- definition</a>
+ <li><a href="#the-storage0"><span class=secno>4.11.1.5. </span>The
+ <code title=event-storage>storage</code> event</a>
+ <ul class=toc>
+ <li><a href="#event0"><span class=secno>4.11.1.5.1. </span>Event
+ definition</a>
+ </ul>
+
+ <li><a href="#threads0"><span class=secno>4.11.1.6.
+ </span>Threads</a>
</ul>
- <li><a href="#miscellaneous0"><span class=secno>4.11.6
- </span>Miscellaneous implementation requirements for storage
- areas</a>
+ <li><a href="#sql"><span class=secno>4.11.2 </span>Database
+ storage</a>
<ul class=toc>
- <li><a href="#disk-space"><span class=secno>4.11.6.1. </span>Disk
- space</a>
+ <li><a href="#introduction3"><span class=secno>4.11.2.1.
+ </span>Introduction</a>
- <li><a href="#threads0"><span class=secno>4.11.6.2.
- </span>Threads</a>
+ <li><a href="#databases"><span class=secno>4.11.2.2.
+ </span>Databases</a>
+
+ <li><a href="#executing"><span class=secno>4.11.2.3.
+ </span>Executing SQL statements</a>
+
+ <li><a href="#database"><span class=secno>4.11.2.4. </span>Database
+ query results</a>
+
+ <li><a href="#errors"><span class=secno>4.11.2.5. </span>Errors</a>
+
+ <li><a href="#processing3"><span class=secno>4.11.2.6.
+ </span>Processing model</a>
</ul>
- <li><a href="#security7"><span class=secno>4.11.7 </span>Security and
- privacy</a>
+ <li><a href="#disk-space"><span class=secno>4.11.3 </span>Disk
+ space</a>
+
+ <li><a href="#privacy"><span class=secno>4.11.4 </span>Privacy</a>
<ul class=toc>
- <li><a href="#user-tracking"><span class=secno>4.11.7.1. </span>User
+ <li><a href="#user-tracking"><span class=secno>4.11.4.1. </span>User
tracking</a>
- <li><a href="#cookie"><span class=secno>4.11.7.2. </span>Cookie
+ <li><a href="#cookie"><span class=secno>4.11.4.2. </span>Cookie
resurrection</a>
+ </ul>
- <li><a href="#dns-spoofing"><span class=secno>4.11.7.3. </span>DNS
+ <li><a href="#security7"><span class=secno>4.11.5 </span>Security</a>
+ <ul class=toc>
+ <li><a href="#dns-spoofing"><span class=secno>4.11.5.1. </span>DNS
spoofing attacks</a>
- <li><a href="#cross-directory"><span class=secno>4.11.7.4.
+ <li><a href="#cross-directory"><span class=secno>4.11.5.2.
</span>Cross-directory attacks</a>
- <li><a href="#implementation"><span class=secno>4.11.7.5.
+ <li><a href="#implementation"><span class=secno>4.11.5.3.
</span>Implementation risks</a>
- </ul>
- </ul>
- <li><a href="#sql"><span class=secno>4.12 </span>Client-side database
- storage</a>
- <ul class=toc>
- <li><a href="#introduction3"><span class=secno>4.12.1
- </span>Introduction</a>
+ <li><a href="#sql-and"><span class=secno>4.11.5.4. </span>SQL and
+ user agents</a>
- <li><a href="#databases"><span class=secno>4.12.2 </span>Databases</a>
-
-
- <li><a href="#executing"><span class=secno>4.12.3 </span>Executing SQL
- statements</a>
-
- <li><a href="#database"><span class=secno>4.12.4 </span>Database query
- results</a>
-
- <li><a href="#errors"><span class=secno>4.12.5 </span>Errors</a>
-
- <li><a href="#processing3"><span class=secno>4.12.6 </span>Processing
- model</a>
-
- <li><a href="#privacy"><span class=secno>4.12.7 </span>Privacy</a>
-
- <li><a href="#security8"><span class=secno>4.12.8 </span>Security</a>
- <ul class=toc>
- <li><a href="#user-agents"><span class=secno>4.12.8.1. </span>User
- agents</a>
-
- <li><a href="#sql-injection"><span class=secno>4.12.8.2. </span>SQL
+ <li><a href="#sql-injection"><span class=secno>4.11.5.5. </span>SQL
injection</a>
</ul>
</ul>
- <li><a href="#links"><span class=secno>4.13 </span>Links</a>
+ <li><a href="#links"><span class=secno>4.12 </span>Links</a>
<ul class=toc>
- <li><a href="#hyperlink"><span class=secno>4.13.1 </span>Hyperlink
+ <li><a href="#hyperlink"><span class=secno>4.12.1 </span>Hyperlink
elements</a>
- <li><a href="#following"><span class=secno>4.13.2 </span>Following
+ <li><a href="#following"><span class=secno>4.12.2 </span>Following
hyperlinks</a>
<ul class=toc>
- <li><a href="#hyperlink0"><span class=secno>4.13.2.1.
+ <li><a href="#hyperlink0"><span class=secno>4.12.2.1.
</span>Hyperlink auditing</a>
</ul>
- <li><a href="#linkTypes"><span class=secno>4.13.3 </span>Link
+ <li><a href="#linkTypes"><span class=secno>4.12.3 </span>Link
types</a>
<ul class=toc>
- <li><a href="#link-type"><span class=secno>4.13.3.1. </span>Link
+ <li><a href="#link-type"><span class=secno>4.12.3.1. </span>Link
type "<code>alternate</code>"</a>
- <li><a href="#link-type0"><span class=secno>4.13.3.2. </span>Link
+ <li><a href="#link-type0"><span class=secno>4.12.3.2. </span>Link
type "<code>archives</code>"</a>
- <li><a href="#link-type1"><span class=secno>4.13.3.3. </span>Link
+ <li><a href="#link-type1"><span class=secno>4.12.3.3. </span>Link
type "<code>author</code>"</a>
- <li><a href="#link-type2"><span class=secno>4.13.3.4. </span>Link
+ <li><a href="#link-type2"><span class=secno>4.12.3.4. </span>Link
type "<code>bookmark</code>"</a>
- <li><a href="#link-type3"><span class=secno>4.13.3.5. </span>Link
+ <li><a href="#link-type3"><span class=secno>4.12.3.5. </span>Link
type "<code>contact</code>"</a>
- <li><a href="#link-type4"><span class=secno>4.13.3.6. </span>Link
+ <li><a href="#link-type4"><span class=secno>4.12.3.6. </span>Link
type "<code>external</code>"</a>
- <li><a href="#link-type5"><span class=secno>4.13.3.7. </span>Link
+ <li><a href="#link-type5"><span class=secno>4.12.3.7. </span>Link
type "<code>feed</code>"</a>
- <li><a href="#link-type6"><span class=secno>4.13.3.8. </span>Link
+ <li><a href="#link-type6"><span class=secno>4.12.3.8. </span>Link
type "<code>help</code>"</a>
- <li><a href="#link-type7"><span class=secno>4.13.3.9. </span>Link
+ <li><a href="#link-type7"><span class=secno>4.12.3.9. </span>Link
type "<code>icon</code>"</a>
- <li><a href="#link-type8"><span class=secno>4.13.3.10. </span>Link
+ <li><a href="#link-type8"><span class=secno>4.12.3.10. </span>Link
type "<code>license</code>"</a>
- <li><a href="#link-type9"><span class=secno>4.13.3.11. </span>Link
+ <li><a href="#link-type9"><span class=secno>4.12.3.11. </span>Link
type "<code>nofollow</code>"</a>
- <li><a href="#link-type10"><span class=secno>4.13.3.12. </span>Link
+ <li><a href="#link-type10"><span class=secno>4.12.3.12. </span>Link
type "<code>noreferrer</code>"</a>
- <li><a href="#link-type11"><span class=secno>4.13.3.13. </span>Link
+ <li><a href="#link-type11"><span class=secno>4.12.3.13. </span>Link
type "<code>pingback</code>"</a>
- <li><a href="#link-type12"><span class=secno>4.13.3.14. </span>Link
+ <li><a href="#link-type12"><span class=secno>4.12.3.14. </span>Link
type "<code>prefetch</code>"</a>
- <li><a href="#link-type13"><span class=secno>4.13.3.15. </span>Link
+ <li><a href="#link-type13"><span class=secno>4.12.3.15. </span>Link
type "<code>search</code>"</a>
- <li><a href="#link-type14"><span class=secno>4.13.3.16. </span>Link
+ <li><a href="#link-type14"><span class=secno>4.12.3.16. </span>Link
type "<code>stylesheet</code>"</a>
- <li><a href="#link-type15"><span class=secno>4.13.3.17. </span>Link
+ <li><a href="#link-type15"><span class=secno>4.12.3.17. </span>Link
type "<code>sidebar</code>"</a>
- <li><a href="#link-type16"><span class=secno>4.13.3.18. </span>Link
+ <li><a href="#link-type16"><span class=secno>4.12.3.18. </span>Link
type "<code>tag</code>"</a>
- <li><a href="#hierarchical"><span class=secno>4.13.3.19.
+ <li><a href="#hierarchical"><span class=secno>4.12.3.19.
</span>Hierarchical link types</a>
<ul class=toc>
- <li><a href="#link-type17"><span class=secno>4.13.3.19.1.
+ <li><a href="#link-type17"><span class=secno>4.12.3.19.1.
</span>Link type "<code>index</code>"</a>
- <li><a href="#link-type18"><span class=secno>4.13.3.19.2.
+ <li><a href="#link-type18"><span class=secno>4.12.3.19.2.
</span>Link type "<code>up</code>"</a>
</ul>
- <li><a href="#sequential0"><span class=secno>4.13.3.20.
+ <li><a href="#sequential0"><span class=secno>4.12.3.20.
</span>Sequential link types</a>
<ul class=toc>
- <li><a href="#link-type19"><span class=secno>4.13.3.20.1.
+ <li><a href="#link-type19"><span class=secno>4.12.3.20.1.
</span>Link type "<code>first</code>"</a>
- <li><a href="#link-type20"><span class=secno>4.13.3.20.2.
+ <li><a href="#link-type20"><span class=secno>4.12.3.20.2.
</span>Link type "<code>last</code>"</a>
- <li><a href="#link-type21"><span class=secno>4.13.3.20.3.
+ <li><a href="#link-type21"><span class=secno>4.12.3.20.3.
</span>Link type "<code>next</code>"</a>
- <li><a href="#link-type22"><span class=secno>4.13.3.20.4.
+ <li><a href="#link-type22"><span class=secno>4.12.3.20.4.
</span>Link type "<code>prev</code>"</a>
</ul>
- <li><a href="#other0"><span class=secno>4.13.3.21. </span>Other link
+ <li><a href="#other0"><span class=secno>4.12.3.21. </span>Other link
types</a>
</ul>
</ul>
- <li><a href="#interfaces"><span class=secno>4.14 </span>Interfaces for
+ <li><a href="#interfaces"><span class=secno>4.13 </span>Interfaces for
URI manipulation</a>
</ul>
@@ -1458,7 +1456,7 @@
selection</a>
</ul>
- <li><a href="#security9"><span class=secno>5.3.7 </span>Security risks
+ <li><a href="#security8"><span class=secno>5.3.7 </span>Security risks
in the drag-and-drop model</a>
</ul>
@@ -2684,7 +2682,7 @@
<h4 id=security><span class=secno>2.1.1 </span>Security</h4>
- <p>User agents must raise a <a href="#security10">security exception</a>
+ <p>User agents must raise a <a href="#security9">security exception</a>
whenever any of the members of an <code><a
href="#htmldocument">HTMLDocument</a></code> object are accessed by
scripts whose <a href="#effective3">effective script origin</a> is not the
@@ -27605,7 +27603,7 @@
<h4 id=security3><span class=secno>4.2.1 </span>Security</h4>
- <p>User agents must raise a <a href="#security10">security exception</a>
+ <p>User agents must raise a <a href="#security9">security exception</a>
whenever any of the members of a <code><a href="#window">Window</a></code>
object are accessed by scripts whose <a href="#effective3">effective
script origin</a> is not the same as the <code><a
@@ -28038,7 +28036,7 @@
<p>If ToASCII fails to convert one of the components of the string, e.g.
because it is too long or because it contains invalid characters, then
- throw a <a href="#security10">security exception</a> and abort these
+ throw a <a href="#security9">security exception</a> and abort these
steps. <a href="#refsRFC3490">[RFC3490]</a></p>
<li>
@@ -28050,12 +28048,12 @@
<ol>
<li>
<p>If the current value is an IP address, throw a <a
- href="#security10">security exception</a> and abort these steps.</p>
+ href="#security9">security exception</a> and abort these steps.</p>
<li>
<p>If <var title="">new value</var>, prefixed by a U+002E FULL STOP
("."), does not exactly match the end of the current value, throw a <a
- href="#security10">security exception</a> and abort these steps.</p>
+ href="#security9">security exception</a> and abort these steps.</p>
</ol>
<li>
@@ -28138,7 +28136,7 @@
<h4 id=security4><span class=secno>4.4.2 </span>Security exceptions</h4>
- <p class=big-issue>Define <dfn id=security10>security exception</dfn>.
+ <p class=big-issue>Define <dfn id=security9>security exception</dfn>.
<h4 id=javascript-protocol><span class=secno>4.4.3 </span><dfn
id=the-javascript title="javascript protocol">The <code
@@ -29083,7 +29081,7 @@
the user what the site in question is.</p>
</dl>
- <p>User agents should raise <a href="#security10" title="security
+ <p>User agents should raise <a href="#security9" title="security
exception">security exceptions</a> if the methods are called with <var
title="">protocol</var> or <var title="">mimeType</var> values that the UA
deems to be "privileged". For example, a site attempting to register a
@@ -30472,7 +30470,7 @@
<li>
<p>If <var title="">uri</var> has a different <scheme> component than
- the manifest's URI, then raise a <a href="#security10">security
+ the manifest's URI, then raise a <a href="#security9">security
exception</a>.
<li>
@@ -31008,7 +31006,7 @@
hierarchical <scheme>). If the verification fails (either because
the argument is syntactically incorrect, or differs in a way not described
as acceptable in the previous sentence) then the user agent must raise a
- <a href="#security10">security exception</a>. <a
+ <a href="#security9">security exception</a>. <a
href="#refsRFC3986">[RFC3986]</a> <a href="#refsRFC3987">[RFC3987]</a>
<p>If the third argument passes its verification step, or if the third
@@ -31226,7 +31224,7 @@
<h5 id=security6><span class=secno>4.8.4.1. </span>Security</h5>
- <p>User agents must raise a <a href="#security10">security exception</a>
+ <p>User agents must raise a <a href="#security9">security exception</a>
whenever any of the members of a <code><a
href="#location2">Location</a></code> object are accessed by scripts whose
<a href="#effective3">effective script origin</a> is not the same as the
@@ -32629,11 +32627,13 @@
</dl>
</ol>
- <h3 id=storage><span class=secno>4.11 </span>Client-side session and
- persistent storage of name/value pairs</h3>
+ <h3 id=structured><span class=secno>4.11 </span>Structured client-side
+ storage</h3>
- <h4 id=introduction2><span class=secno>4.11.1 </span>Introduction</h4>
+ <h4 id=storage><span class=secno>4.11.1 </span>Storing name/value pairs</h4>
+ <h5 id=introduction2><span class=secno>4.11.1.1. </span>Introduction</h5>
+
<p><em>This section is non-normative.</em>
<p>This specification introduces two related mechanisms, similar to HTTP
@@ -32725,8 +32725,8 @@
store structured data in a storage area, you must first convert it to a
string.
- <h4 id=the-storage><span class=secno>4.11.2 </span>The <code><a
- href="#storage0">Storage</a></code> interface</h4>
+ <h5 id=the-storage><span class=secno>4.11.1.2. </span>The <code><a
+ href="#storage0">Storage</a></code> interface</h5>
<!-- XXX shouldn't we define somewhere how null values get handled
in these methods? Do they get converted to the empty string or
something? -->
@@ -32842,9 +32842,9 @@
not normative, see the sections below for the normative statement
-->
- <h4 id=the-sessionstorage><span class=secno>4.11.3 </span>The <code
+ <h5 id=the-sessionstorage><span class=secno>4.11.1.3. </span>The <code
title=dom-sessionStorage><a
- href="#sessionstorage">sessionStorage</a></code> attribute</h4>
+ href="#sessionstorage">sessionStorage</a></code> attribute</h5>
<p>The <dfn id=sessionstorage
title=dom-sessionStorage><code>sessionStorage</code></dfn> attribute
@@ -32914,9 +32914,9 @@
title=event-storage><a href="#storage1">storage</a></code> event must be
fired, as <a href="#storage1" title=event-storage>described below</a>.
- <h4 id=the-localstorage><span class=secno>4.11.4 </span>The <code
+ <h5 id=the-localstorage><span class=secno>4.11.1.4. </span>The <code
title=dom-localStorage><a href="#localstorage">localStorage</a></code>
- attribute</h4>
+ attribute</h5>
<p>The <dfn id=localstorage
title=dom-localStorage><code>localStorage</code></dfn> object provides a
@@ -32960,8 +32960,8 @@
must be fired, as <a href="#storage1" title=event-storage>described
below</a>.
- <h4 id=the-storage0><span class=secno>4.11.5 </span>The <code
- title=event-storage><a href="#storage1">storage</a></code> event</h4>
+ <h5 id=the-storage0><span class=secno>4.11.1.5. </span>The <code
+ title=event-storage><a href="#storage1">storage</a></code> event</h5>
<p>The <dfn id=storage1 title=event-storage><code>storage</code></dfn>
event is fired in an <code><a href="#htmldocument">HTMLDocument</a></code>
@@ -33004,7 +33004,7 @@
the two documents are in the same <a href="#unit-of">unit of related
browsing contexts</a>, or null otherwise.
- <h5 id=event0><span class=secno>4.11.5.1. </span>Event definition</h5>
+ <h6 id=event0><span class=secno>4.11.1.5.1. </span>Event definition</h6>
<pre class=idl>interface <dfn id=storageevent>StorageEvent</dfn> : Event {
readonly attribute DOMString <a href="#key" title=dom-StorageEvent-key>key</a>;
@@ -33043,36 +33043,8 @@
represents the <code><a href="#window">Window</a></code> that changed the
key.
- <h4 id=miscellaneous0><span class=secno>4.11.6 </span>Miscellaneous
- implementation requirements for storage areas</h4>
+ <h5 id=threads0><span class=secno>4.11.1.6. </span>Threads</h5>
- <h5 id=disk-space><span class=secno>4.11.6.1. </span>Disk space</h5>
-
- <p>User agents should limit the total amount of space allowed for a storage
- area.
-
- <p>User agents should guard against sites storing data in the storage areas
- of subdomains, e.g. storing up to the limit in a1.example.com,
- a2.example.com, a3.example.com, etc, circumventing the main example.com
- storage area's limit.
-
- <p>User agents may prompt the user when quotas are reached, allowing the
- user to grant a site more space. This enables sites to store many
- user-created documents on the user's computer, for instance.
-
- <p>User agents should allow users to see how much space each domain is
- using.
-
- <p>If the storage area space limit is reached during a <code
- title=dom-Storage-setItem><a href="#setitem">setItem()</a></code> call,
- the method will raise an exception.
-
- <p>A mostly arbitrary limit of five megabytes per domain is recommended.
- Implementation feedback is welcome and will be used to update this
- suggestion in future.
-
- <h5 id=threads0><span class=secno>4.11.6.2. </span>Threads</h5>
-
<p>Multiple browsing contexts must be able to access the local storage
areas simultaneously in a predictable manner. Scripts must not be able to
detect any concurrent script execution.
@@ -33095,164 +33067,14 @@
execution. This specification does not require any particular
implementation strategy, so long as the requirement above is met.
- <h4 id=security7><span class=secno>4.11.7 </span>Security and privacy</h4>
-
- <h5 id=user-tracking><span class=secno>4.11.7.1. </span>User tracking</h5>
-
- <p>A third-party advertiser (or any entity capable of getting content
- distributed to multiple sites) could use a unique identifier stored in its
- local storage area to track a user across multiple sessions, building a
- profile of the user's interests to allow for highly targeted advertising.
- In conjunction with a site that is aware of the user's real identity (for
- example an e-commerce site that requires authenticated credentials), this
- could allow oppressive groups to target individuals with greater accuracy
- than in a world with purely anonymous Web usage.
-
- <p>There are a number of techniques that can be used to mitigate the risk
- of user tracking:
-
- <ul>
- <li>
- <p>Blocking third-party storage: user agents may restrict access to the
- <code title=dom-localStorage><a
- href="#localstorage">localStorage</a></code> object to scripts
- originating at the domain of the top-level document of the <a
- href="#browsing0">browsing context</a>, for instance denying access to
- the API for pages from other domains running in <code><a
- href="#iframe">iframe</a></code>s.</p>
-
- <li>
- <p>Expiring stored data: user agents may automatically delete stored data
- after a period of time.</p>
-
- <p>For example, a user agent could treat third-party local storage areas
- as session-only storage, deleting the data once the user had closed all
- the <span>browsing contexts</span> that could access it.</p>
-
- <p>This can restrict the ability of a site to track a user, as the site
- would then only be able to track the user across multiple sessions when
- he authenticates with the site itself (e.g. by making a purchase or
- logging in to a service).</p>
-
- <p>However, this also puts the user's data at risk.</p>
- <!-- XXX should there be an explicit way for sites to state when
- data should expire? as in
- localStorage.expireData(365); ? -->
-
-
- <li>
- <p>Treating persistent storage as cookies: user agents may present the
- persistent storage feature to the user in a way that does not
- distinguish it from HTTP session cookies. <a
- href="#refsRFC2965">[RFC2965]</a></p>
-
- <p>This might encourage users to view persistent storage with healthy
- suspicion.</p>
-
- <li>
- <p>Site-specific white-listing of access to local storage areas: user
- agents may allow sites to access session storage areas in an
- unrestricted manner, but require the user to authorise access to local
- storage areas.</p>
-
- <li>
- <p>Origin-tracking of persistent storage data: user agents may record the
- origins of sites that contained content from third-party origins that
- caused data to be stored.</p>
-
- <p>If this information is then used to present the view of data currently
- in persistent storage, it would allow the user to make informed
- decisions about which parts of the persistent storage to prune. Combined
- with a blacklist ("delete this data and prevent this domain from ever
- storing data again"), the user can restrict the use of persistent
- storage to sites that he trusts.</p>
-
- <li>
- <p>Shared blacklists: user agents may allow users to share their
- persistent storage domain blacklists.</p>
-
- <p>This would allow communities to act together to protect their privacy.</p>
- </ul>
-
- <p>While these suggestions prevent trivial use of this API for user
- tracking, they do not block it altogether. Within a single domain, a site
- can continue to track the user during a session, and can then pass all
- this information to the third party along with any identifying information
- (names, credit card numbers, addresses) obtained by the site. If a third
- party cooperates with multiple sites to obtain such information, a profile
- can still be created.
-
- <p>However, user tracking is to some extent possible even with no
- cooperation from the user agent whatsoever, for instance by using session
- identifiers in URIs, a technique already commonly used for innocuous
- purposes but easily repurposed for user tracking (even retroactively).
- This information can then be shared with other sites, using using
- visitors' IP addresses and other user-specific data (e.g. user-agent
- headers and configuration settings) to combine separate sessions into
- coherent user profiles.
-
- <h5 id=cookie><span class=secno>4.11.7.2. </span>Cookie resurrection</h5>
-
- <p>If the user interface for persistent storage presents data in the
- persistent storage feature separately from data in HTTP session cookies,
- then users are likely to delete data in one and not the other. This would
- allow sites to use the two features as redundant backup for each other,
- defeating a user's attempts to protect his privacy.
-
- <h5 id=dns-spoofing><span class=secno>4.11.7.3. </span>DNS spoofing attacks</h5>
-
- <p>Because of the potential for DNS spoofing attacks, one cannot guarentee
- that a host claiming to be in a certain domain really is from that domain.
- To mitigate this, pages can use SSL. Pages using SSL can be sure that only
- pages using SSL that have certificates identifying them as being from the
- same domain can access their local storage areas.
-
- <h5 id=cross-directory><span class=secno>4.11.7.4. </span>Cross-directory
- attacks</h5>
-
- <p>Different authors sharing one host name, for example users hosting
- content on <code>geocities.com</code>, all share one persistent storage
- object. There is no feature to restrict the access by pathname. Authors on
- shared hosts are therefore recommended to avoid using the persistent
- storage feature, as it would be trivial for other authors to read from and
- write to the same storage area.
-
- <p class=note>Even if a path-restriction feature was made available, the
- usual DOM scripting security model would make it trivial to bypass this
- protection and access the data from any path.
-
- <h5 id=implementation><span class=secno>4.11.7.5. </span>Implementation
- risks</h5>
-
- <p>The two primary risks when implementing this persistent storage feature
- are letting hostile sites read information from other domains, and letting
- hostile sites write information that is then read from other domains.
-
- <p>Letting third-party sites read data that is not supposed to be read from
- their domain causes <em>information leakage</em>, For example, a user's
- shopping wishlist on one domain could be used by another domain for
- targeted advertising; or a user's work-in-progress confidential documents
- stored by a word-processing site could be examined by the site of a
- competing company.
-
- <p>Letting third-party sites write data to the storage areas of other
- domains can result in <em>information spoofing</em>, which is equally
- dangerous. For example, a hostile site could add items to a user's
- wishlist; or a hostile site could set a user's session identifier to a
- known ID that the hostile site can then use to track the user's actions on
- the victim site.
-
- <p>Thus, strictly following the model described in this specification is
- important for user security.
-
- <h3 id=sql><span class=secno>4.12 </span>Client-side database storage</h3>
+ <h4 id=sql><span class=secno>4.11.2 </span>Database storage</h4>
<!-- Feature requests for future versions (v2):
* deleting databases
* determining how much storage room is left
* handling the database getting corrupted
-->
- <h4 id=introduction3><span class=secno>4.12.1 </span>Introduction</h4>
+ <h5 id=introduction3><span class=secno>4.11.2.1. </span>Introduction</h5>
<p><em>This section is non-normative.</em>
@@ -33266,7 +33088,7 @@
executeSql('SELECT rowid FROM t WHERE c IN (' + q + ')', array, ...);
-->
- <h4 id=databases><span class=secno>4.12.2 </span>Databases</h4>
+ <h5 id=databases><span class=secno>4.11.2.2. </span>Databases</h5>
<p>Each <i><a href="#origin0">origin</a></i> has an associated set of
databases. Each database has a name and a current version. There is no way
@@ -33285,25 +33107,28 @@
an estimated size, in bytes, of the data that will be stored in the
database.
+ <p>The <code title=dom-opendatabase><a
+ href="#opendatabase">openDatabase()</a></code> method must use and create
+ databases from the <a href="#origin0">origin</a> of the <a
+ href="#active">active document</a> of the <code><a
+ href="#window">Window</a></code> object on which the method was invoked.
+
<p>If the database version provided is not the empty string, and the
database already exists but has a different version, then the method must
raise an <code>INVALID_STATE_ERR</code> exception.
- <p>The user agent may also raise a <a href="#security10">security
+ <p>The user agent may also raise a <a href="#security9">security
exception</a> in case the request violates a policy decision (e.g. if the
user agent is configured to not allow the page to open databases).
- <p>Otherwise, if the database provided is the empty string, or if the
- database doesn't yet exist, or if the database exists and the version
+ <p>Otherwise, if the database version provided is the empty string, or if
+ the database doesn't yet exist, or if the database exists and the version
provided to the <code title=dom-opendatabase><a
href="#opendatabase">openDatabase()</a></code> method is the same as the
current version associated with the database, then the method must return
a <code><a href="#database0">Database</a></code> object representing the
- database associated with the <a href="#origin0">origin</a> of the <a
- href="#active">active document</a> of the <a href="#browsing0">browsing
- context</a> of the <code><a href="#window">Window</a></code> object on
- which the method was called that has the name that was given. If no such
- database exists, it must be created first.
+ database that has the name that was given. If no such database exists, it
+ must be created first.
<p>All strings including the empty string are valid database names.
Database names are case-sensitive.
@@ -33389,7 +33214,8 @@
href="#changeversion">changeVersion()</a></code> method.
</ol>
- <h4 id=executing><span class=secno>4.12.3 </span>Executing SQL statements</h4>
+ <h5 id=executing><span class=secno>4.11.2.3. </span>Executing SQL
+ statements</h5>
<p>The <code title=dom-database-transaction><a
href="#transaction">transaction()</a></code> and <code
@@ -33488,15 +33314,6 @@
completely empty environment with no resources. For example, attempts to
read from or write to the filesystem will fail.
- <p>User agents should limit the total amount of space allowed for each
- origin, but may prompt the user and extend the limit if a database is
- reaching its quota. User agents should allow users to see how much space
- each database is using.
-
- <p>A mostly arbitrary limit of five megabytes per origin is recommended.
- Implementation feedback is welcome and will be used to update this
- suggestion in future.
-
<p>SQL inherently supports multiple concurrent connections. Authors should
make appropriate use of the transaction features to handle the case of
multiple scripts interacting with the same database simultaneously (as
@@ -33512,7 +33329,7 @@
<p class=note>A future version of this specification will probably define
the exact SQL subset required in more detail.
- <h4 id=database><span class=secno>4.12.4 </span>Database query results</h4>
+ <h5 id=database><span class=secno>4.11.2.4. </span>Database query results</h5>
<p>The <code title=dom-transaction-executeSql>executeSql()</code> method
invokes its callback with a <code><a
@@ -33544,7 +33361,9 @@
attribute must return a <code><a
href="#sqlresultsetrowlist">SQLResultSetRowList</a></code> representing
the rows returned, in the order returned by the database. If no rows were
- returned, then the object will be empty.
+ returned, then the object will be empty (its <code
+ title=dom-SQLResultSetRowList-length><a href="#length9">length</a></code>
+ will be zero).
<pre
class=idl>interface <dfn id=sqlresultsetrowlist>SQLResultSetRowList</dfn> {
@@ -33572,7 +33391,7 @@
have the name of the column and the value of the cell, as they were
returned by the database.
- <h4 id=errors><span class=secno>4.12.5 </span>Errors</h4>
+ <h5 id=errors><span class=secno>4.11.2.5. </span>Errors</h5>
<p>Errors in the database API are reported using callbacks that have a
<code><a href="#sqlerror">SQLError</a></code> object as one of their
@@ -33655,7 +33474,7 @@
return an error message describing the error encountered. The message
should be localised to the user's language.
- <h4 id=processing3><span class=secno>4.12.6 </span>Processing model</h4>
+ <h5 id=processing3><span class=secno>4.11.2.6. </span>Processing model</h5>
<p>The <dfn id=transaction0>transaction steps</dfn> are as follows. These
steps must be run asynchronously. These steps are invoked with a
@@ -33783,25 +33602,186 @@
still-pending statements in the transaction are discarded.
</ol>
- <h4 id=privacy><span class=secno>4.12.7 </span>Privacy</h4>
+ <h4 id=disk-space><span class=secno>4.11.3 </span>Disk space</h4>
- <p>In contrast with the <code title=dom-localStorage><a
- href="#localstorage">localStorage</a></code> feature, which intentionally
- allows data to be accessed across multiple domains, protocols, and ports
- (albeit in a controlled fashion), this database feature is limited to
- scripts running with the same <a href="#origin0">origin</a> as the
- database. Thus, it is expected that the privacy implications be equivalent
- to those already present in allowing scripts to communicate with their
- originating host.
+ <p>User agents should limit the total amount of space allowed for storage
+ areas and databases.
- <p>User agents are encouraged to treat data stored in databases in the same
- way as cookies for the purposes of user interfaces, to reduce the risk of
- using this feature for cookie resurrection.
+ <p>User agents should guard against sites storing data in the storage areas
+ or databases of subdomains, e.g. storing up to the limit in
+ a1.example.com, a2.example.com, a3.example.com, etc, circumventing the
+ main example.com storage limit.
- <h4 id=security8><span class=secno>4.12.8 </span>Security</h4>
+ <p>User agents may prompt the user when quotas are reached, allowing the
+ user to grant a site more space. This enables sites to store many
+ user-created documents on the user's computer, for instance.
- <h5 id=user-agents><span class=secno>4.12.8.1. </span>User agents</h5>
+ <p>User agents should allow users to see how much space each domain is
+ using.</p>
+ <!--<p>If the storage area space limit is reached during a <code
+ title="dom-Storage-setItem">setItem()</code> call, the method will
+ raise an exception.</p>-->
+ <p>A mostly arbitrary limit of five megabytes per domain is recommended.
+ Implementation feedback is welcome and will be used to update this
+ suggestion in future.
+
+ <h4 id=privacy><span class=secno>4.11.4 </span>Privacy</h4>
+
+ <h5 id=user-tracking><span class=secno>4.11.4.1. </span>User tracking</h5>
+
+ <p>A third-party advertiser (or any entity capable of getting content
+ distributed to multiple sites) could use a unique identifier stored in its
+ local storage area or in its client-side database to track a user across
+ multiple sessions, building a profile of the user's interests to allow for
+ highly targeted advertising. In conjunction with a site that is aware of
+ the user's real identity (for example an e-commerce site that requires
+ authenticated credentials), this could allow oppressive groups to target
+ individuals with greater accuracy than in a world with purely anonymous
+ Web usage.
+
+ <p>There are a number of techniques that can be used to mitigate the risk
+ of user tracking:
+
+ <ul>
+ <li>
+ <p>Blocking third-party storage: user agents may restrict access to the
+ <code title=dom-localStorage><a
+ href="#localstorage">localStorage</a></code> and database objects to
+ scripts originating at the domain of the top-level document of the <a
+ href="#browsing0">browsing context</a>, for instance denying access to
+ the API for pages from other domains running in <code><a
+ href="#iframe">iframe</a></code>s.</p>
+
+ <li>
+ <p>Expiring stored data: user agents may automatically delete stored data
+ after a period of time.</p>
+
+ <p>For example, a user agent could treat third-party local storage areas
+ as session-only storage, deleting the data once the user had closed all
+ the <span>browsing contexts</span> that could access it.</p>
+
+ <p>This can restrict the ability of a site to track a user, as the site
+ would then only be able to track the user across multiple sessions when
+ he authenticates with the site itself (e.g. by making a purchase or
+ logging in to a service).</p>
+
+ <p>However, this also puts the user's data at risk.</p>
+ <!-- XXX should there be an explicit way for sites to state when
+ data should expire? as in
+ localStorage.expireData(365); ? -->
+
+
+ <li>
+ <p>Treating persistent storage as cookies: user agents should present the
+ persistent storage and database features to the user in a way that does
+ not distinguish them from HTTP session cookies. <a
+ href="#refsRFC2965">[RFC2965]</a></p>
+
+ <p>This might encourage users to view persistent storage with healthy
+ suspicion.</p>
+
+ <li>
+ <p>Site-specific white-listing of access to local storage areas and
+ databases: user agents may allow sites to access session storage areas
+ in an unrestricted manner, but require the user to authorise access to
+ local storage areas and databases.</p>
+
+ <li>
+ <p>Origin-tracking of persistent storage data: user agents may record the
+ origins of sites that contained content from third-party origins that
+ caused data to be stored.</p>
+
+ <p>If this information is then used to present the view of data currently
+ in persistent storage, it would allow the user to make informed
+ decisions about which parts of the persistent storage to prune. Combined
+ with a blacklist ("delete this data and prevent this domain from ever
+ storing data again"), the user can restrict the use of persistent
+ storage to sites that he trusts.</p>
+
+ <li>
+ <p>Shared blacklists: user agents may allow users to share their
+ persistent storage domain blacklists.</p>
+
+ <p>This would allow communities to act together to protect their privacy.</p>
+ </ul>
+
+ <p>While these suggestions prevent trivial use of these APIs for user
+ tracking, they do not block it altogether. Within a single domain, a site
+ can continue to track the user during a session, and can then pass all
+ this information to the third party along with any identifying information
+ (names, credit card numbers, addresses) obtained by the site. If a third
+ party cooperates with multiple sites to obtain such information, a profile
+ can still be created.
+
+ <p>However, user tracking is to some extent possible even with no
+ cooperation from the user agent whatsoever, for instance by using session
+ identifiers in URIs, a technique already commonly used for innocuous
+ purposes but easily repurposed for user tracking (even retroactively).
+ This information can then be shared with other sites, using using
+ visitors' IP addresses and other user-specific data (e.g. user-agent
+ headers and configuration settings) to combine separate sessions into
+ coherent user profiles.
+
+ <h5 id=cookie><span class=secno>4.11.4.2. </span>Cookie resurrection</h5>
+
+ <p>If the user interface for persistent storage presents data in the
+ persistent storage features separately from data in HTTP session cookies,
+ then users are likely to delete data in one and not the other. This would
+ allow sites to use the two features as redundant backup for each other,
+ defeating a user's attempts to protect his privacy.
+
+ <h4 id=security7><span class=secno>4.11.5 </span>Security</h4>
+
+ <h5 id=dns-spoofing><span class=secno>4.11.5.1. </span>DNS spoofing attacks</h5>
+
+ <p>Because of the potential for DNS spoofing attacks, one cannot guarentee
+ that a host claiming to be in a certain domain really is from that domain.
+ To mitigate this, pages can use SSL. Pages using SSL can be sure that only
+ pages using SSL that have certificates identifying them as being from the
+ same domain can access their local storage areas and databases.
+
+ <h5 id=cross-directory><span class=secno>4.11.5.2. </span>Cross-directory
+ attacks</h5>
+
+ <p>Different authors sharing one host name, for example users hosting
+ content on <code>geocities.com</code>, all share one persistent storage
+ object and one set of databases. There is no feature to restrict the
+ access by pathname. Authors on shared hosts are therefore recommended to
+ avoid using the persistent storage features, as it would be trivial for
+ other authors to read from and write to the same storage area or database.
+
+ <p class=note>Even if a path-restriction feature was made available, the
+ usual DOM scripting security model would make it trivial to bypass this
+ protection and access the data from any path.
+
+ <h5 id=implementation><span class=secno>4.11.5.3. </span>Implementation
+ risks</h5>
+
+ <p>The two primary risks when implementing these persistent storage
+ features are letting hostile sites read information from other domains,
+ and letting hostile sites write information that is then read from other
+ domains.
+
+ <p>Letting third-party sites read data that is not supposed to be read from
+ their domain causes <em>information leakage</em>, For example, a user's
+ shopping wishlist on one domain could be used by another domain for
+ targeted advertising; or a user's work-in-progress confidential documents
+ stored by a word-processing site could be examined by the site of a
+ competing company.
+
+ <p>Letting third-party sites write data to the storage areas of other
+ domains can result in <em>information spoofing</em>, which is equally
+ dangerous. For example, a hostile site could add items to a user's
+ wishlist; or a hostile site could set a user's session identifier to a
+ known ID that the hostile site can then use to track the user's actions on
+ the victim site.
+
+ <p>Thus, strictly following the <a href="#origin0">origin</a> model
+ described in this specification is important for user security.
+
+ <h5 id=sql-and><span class=secno>4.11.5.4. </span>SQL and user agents</h5>
+
<p>User agent implementors are strongly encouraged to audit all their
supported SQL statements for security implications. For example, <code
title="">LOAD DATA INFILE</code> is likely to pose security risks and
@@ -33813,7 +33793,7 @@
disk representation of the data, as all data in ECMAScript is implicitly
UTF-16.
- <h5 id=sql-injection><span class=secno>4.12.8.2. </span>SQL injection</h5>
+ <h5 id=sql-injection><span class=secno>4.11.5.5. </span>SQL injection</h5>
<p>Authors are strongly recommended to make use of the <code
title="">?</code> placeholder feature of the <code
@@ -33821,9 +33801,9 @@
href="#executesql">executeSql()</a></code> method, and to never construct
SQL statements on the fly.
- <h3 id=links><span class=secno>4.13 </span>Links</h3>
+ <h3 id=links><span class=secno>4.12 </span>Links</h3>
- <h4 id=hyperlink><span class=secno>4.13.1 </span>Hyperlink elements</h4>
+ <h4 id=hyperlink><span class=secno>4.12.1 </span>Hyperlink elements</h4>
<p>The <code><a href="#a">a</a></code>, <code><a
href="#area">area</a></code>, and <code><a href="#link">link</a></code>
@@ -33901,7 +33881,7 @@
fetching the resource, user agents must not use metadata included in the
link to the resource to determine its type.
- <h4 id=following><span class=secno>4.13.2 </span><dfn
+ <h4 id=following><span class=secno>4.12.2 </span><dfn
id=following0>Following hyperlinks</dfn></h4>
<p>When a user <em>follows a hyperlink</em>, the user agent must <a
@@ -33956,7 +33936,7 @@
<p>Otherwise, the browsing context that must be navigated is the same
browsing context as the one which the hyperlink element itself is in.
- <h5 id=hyperlink0><span class=secno>4.13.2.1. </span>Hyperlink auditing</h5>
+ <h5 id=hyperlink0><span class=secno>4.12.2.1. </span>Hyperlink auditing</h5>
<p>If an <code><a href="#a">a</a></code> or <code><a
href="#area">area</a></code> hyperlink element has a <code
@@ -34058,7 +34038,7 @@
it sounds kooky. -->
</div>
- <h4 id=linkTypes><span class=secno>4.13.3 </span>Link types</h4>
+ <h4 id=linkTypes><span class=secno>4.12.3 </span>Link types</h4>
<p>The following table summarises the link types that are defined by this
specification. This table is non-normative; the actual definitions for the
@@ -34381,7 +34361,7 @@
-->
- <h5 id=link-type><span class=secno>4.13.3.1. </span>Link type "<dfn
+ <h5 id=link-type><span class=secno>4.12.3.1. </span>Link type "<dfn
id=alternate title=rel-alternate><code>alternate</code></dfn>"</h5>
<p>The <code title=rel-alternate><a href="#alternate">alternate</a></code>
@@ -34458,7 +34438,7 @@
document, it is also implying that those two documents are alternative
representations of each other.
- <h5 id=link-type0><span class=secno>4.13.3.2. </span>Link type "<dfn
+ <h5 id=link-type0><span class=secno>4.12.3.2. </span>Link type "<dfn
id=archives title=rel-archives><code>archives</code></dfn>"</h5>
<p>The <code title=rel-archives><a href="#archives">archives</a></code>
@@ -34478,7 +34458,7 @@
treat the keyword "<code title="">archive</code>" like the <code
title=rel-archives><a href="#archives">archives</a></code> keyword.
- <h5 id=link-type1><span class=secno>4.13.3.3. </span>Link type "<dfn
+ <h5 id=link-type1><span class=secno>4.12.3.3. </span>Link type "<dfn
id=author title=rel-author><code>author</code></dfn>"</h5>
<p>The <code title=rel-author><a href="#author">author</a></code> keyword
@@ -34510,7 +34490,7 @@
"<code>made</code>" as having the <code title=rel-author><a
href="#author">author</a></code> keyword specified as a link relationship.
- <h5 id=link-type2><span class=secno>4.13.3.4. </span>Link type "<dfn
+ <h5 id=link-type2><span class=secno>4.12.3.4. </span>Link type "<dfn
id=bookmark title=rel-bookmark><code>bookmark</code></dfn>"</h5>
<p>The <code title=rel-bookmark><a href="#bookmark">bookmark</a></code>
@@ -34551,7 +34531,7 @@
...</pre>
</div>
- <h5 id=link-type3><span class=secno>4.13.3.5. </span>Link type "<dfn
+ <h5 id=link-type3><span class=secno>4.12.3.5. </span>Link type "<dfn
id=contact title=rel-contact><code>contact</code></dfn>"</h5>
<p>The <code title=rel-contact><a href="#contact">contact</a></code>
@@ -34576,7 +34556,7 @@
that the referenced document provides further contact information for the
page as a whole.
- <h5 id=link-type4><span class=secno>4.13.3.6. </span>Link type "<dfn
+ <h5 id=link-type4><span class=secno>4.12.3.6. </span>Link type "<dfn
id=external title=rel-external><code>external</code></dfn>"</h5>
<p>The <code title=rel-external><a href="#external">external</a></code>
@@ -34587,7 +34567,7 @@
keyword indicates that the link is leading to a document that is not part
of the site that the current document forms a part of.
- <h5 id=link-type5><span class=secno>4.13.3.7. </span>Link type "<dfn
+ <h5 id=link-type5><span class=secno>4.12.3.7. </span>Link type "<dfn
id=feed title=rel-feed><code>feed</code></dfn>"</h5>
<p>The <code title=rel-feed><a href="#feed">feed</a></code> keyword may be
@@ -34631,7 +34611,7 @@
</ul></pre>
</div>
- <h5 id=link-type6><span class=secno>4.13.3.8. </span>Link type "<dfn
+ <h5 id=link-type6><span class=secno>4.12.3.8. </span>Link type "<dfn
id=help title=rel-help><code>help</code></dfn>"</h5>
<p>The <code title=rel-help><a href="#help">help</a></code> keyword may be
@@ -34659,7 +34639,7 @@
title=rel-help><a href="#help">help</a></code> keyword indicates that the
referenced document provides help for the page as a whole.
- <h5 id=link-type7><span class=secno>4.13.3.9. </span>Link type "<dfn
+ <h5 id=link-type7><span class=secno>4.12.3.9. </span>Link type "<dfn
id=icon3 title=rel-icon><code>icon</code></dfn>"</h5>
<p>The <code title=rel-icon><a href="#icon3">icon</a></code> keyword may be
@@ -34681,7 +34661,7 @@
<!-- XXX we don't define
the content-type sniffing for this keyword -->
- <h5 id=link-type8><span class=secno>4.13.3.10. </span>Link type "<dfn
+ <h5 id=link-type8><span class=secno>4.12.3.10. </span>Link type "<dfn
id=license title=rel-license><code>license</code></dfn>"</h5>
<p>The <code title=rel-license><a href="#license">license</a></code>
@@ -34698,7 +34678,7 @@
treat the keyword "<code title="">copyright</code>" like the <code
title=rel-license><a href="#license">license</a></code> keyword.
- <h5 id=link-type9><span class=secno>4.13.3.11. </span>Link type "<dfn
+ <h5 id=link-type9><span class=secno>4.12.3.11. </span>Link type "<dfn
id=nofollow title=rel-nofollow><code>nofollow</code></dfn>"</h5>
<p>The <code title=rel-nofollow><a href="#nofollow">nofollow</a></code>
@@ -34709,7 +34689,7 @@
keyword indicates that the link is not endorsed by the original author or
publisher of the page.
- <h5 id=link-type10><span class=secno>4.13.3.12. </span>Link type "<dfn
+ <h5 id=link-type10><span class=secno>4.12.3.12. </span>Link type "<dfn
id=noreferrer title=rel-noreferrer><code>noreferrer</code></dfn>"</h5>
<p>The <code title=rel-noreferrer><a
@@ -34723,7 +34703,7 @@
include a <code title="">Referer</code> HTTP header (or equivalent for
other protocols) in the request.
- <h5 id=link-type11><span class=secno>4.13.3.13. </span>Link type "<dfn
+ <h5 id=link-type11><span class=secno>4.12.3.13. </span>Link type "<dfn
id=pingback title=rel-pingback><code>pingback</code></dfn>"</h5>
<p>The <code title=rel-pingback><a href="#pingback">pingback</a></code>
@@ -34735,7 +34715,7 @@
href="#pingback">pingback</a></code> keyword, see the Pingback 1.0
specification. <a href="#refsPINGBACK">[PINGBACK]</a>
- <h5 id=link-type12><span class=secno>4.13.3.14. </span>Link type "<dfn
+ <h5 id=link-type12><span class=secno>4.12.3.14. </span>Link type "<dfn
id=prefetch title=rel-prefetch><code>prefetch</code></dfn>"</h5>
<p>The <code title=rel-prefetch><a href="#prefetch">prefetch</a></code>
@@ -34751,7 +34731,7 @@
<p>There is no default type for resources given by the <code
title=rel-prefetch><a href="#prefetch">prefetch</a></code> keyword.
- <h5 id=link-type13><span class=secno>4.13.3.15. </span>Link type "<dfn
+ <h5 id=link-type13><span class=secno>4.12.3.15. </span>Link type "<dfn
id=search0 title=rel-search><code>search</code></dfn>"</h5>
<p>The <code title=rel-search><a href="#search0">search</a></code> keyword
@@ -34772,7 +34752,7 @@
http://www.opensearch.org/Specifications/OpenSearch/1.1#Autodiscovery_in_HTML.2FXHTML
-->
- <h5 id=link-type14><span class=secno>4.13.3.16. </span>Link type "<dfn
+ <h5 id=link-type14><span class=secno>4.12.3.16. </span>Link type "<dfn
id=stylesheet title=rel-stylesheet><code>stylesheet</code></dfn>"</h5>
<p>The <code title=rel-stylesheet><a
@@ -34800,7 +34780,7 @@
not a supported style sheet type, the user agent must instead assume it to
be <code title="">text/css</code>.
- <h5 id=link-type15><span class=secno>4.13.3.17. </span>Link type "<dfn
+ <h5 id=link-type15><span class=secno>4.12.3.17. </span>Link type "<dfn
id=sidebar title=rel-sidebar><code>sidebar</code></dfn>"</h5>
<p>The <code title=rel-sidebar><a href="#sidebar">sidebar</a></code>
@@ -34820,7 +34800,7 @@
specified is a <dfn id=sidebar0 title=rel-sidebar-hyperlink>sidebar
hyperlink</dfn>.
- <h5 id=link-type16><span class=secno>4.13.3.18. </span>Link type "<dfn
+ <h5 id=link-type16><span class=secno>4.12.3.18. </span>Link type "<dfn
id=tag title=rel-tag><code>tag</code></dfn>"</h5>
<p>The <code title=rel-tag><a href="#tag">tag</a></code> keyword may be
@@ -34833,7 +34813,7 @@
that the <em>tag</em> that the referenced document represents applies to
the current document.
- <h5 id=hierarchical><span class=secno>4.13.3.19. </span>Hierarchical link
+ <h5 id=hierarchical><span class=secno>4.12.3.19. </span>Hierarchical link
types</h5>
<p>Some documents form part of a hierarchical structure of documents.
@@ -34845,7 +34825,7 @@
<p>A document may be part of multiple hierarchies.
- <h6 id=link-type17><span class=secno>4.13.3.19.1. </span>Link type "<dfn
+ <h6 id=link-type17><span class=secno>4.12.3.19.1. </span>Link type "<dfn
id=index title=rel-index><code>index</code></dfn>"</h6>
<p>The <code title=rel-index><a href="#index">index</a></code> keyword may
@@ -34865,7 +34845,7 @@
title="">contents</code>", and "<code title="">toc</code>" like the <code
title=rel-index><a href="#index">index</a></code> keyword.
- <h6 id=link-type18><span class=secno>4.13.3.19.2. </span>Link type "<dfn
+ <h6 id=link-type18><span class=secno>4.12.3.19.2. </span>Link type "<dfn
id=up title=rel-up><code>up</code></dfn>"</h6>
<p>The <code title=rel-up><a href="#up">up</a></code> keyword may be used
@@ -34930,7 +34910,7 @@
<code title=rel-up><a href="#up">up</a></code> keywords (the interface
hides duplicates).
- <h5 id=sequential0><span class=secno>4.13.3.20. </span>Sequential link
+ <h5 id=sequential0><span class=secno>4.12.3.20. </span>Sequential link
types</h5>
<p>Some documents form part of a sequence of documents.
@@ -34942,7 +34922,7 @@
<p>A document may be part of multiple sequences.
- <h6 id=link-type19><span class=secno>4.13.3.20.1. </span>Link type "<dfn
+ <h6 id=link-type19><span class=secno>4.12.3.20.1. </span>Link type "<dfn
id=first title=rel-first><code>first</code></dfn>"</h6>
<p>The <code title=rel-first><a href="#first">first</a></code> keyword may
@@ -34961,7 +34941,7 @@
title="">start</code>" like the <code title=rel-first><a
href="#first">first</a></code> keyword.
- <h6 id=link-type20><span class=secno>4.13.3.20.2. </span>Link type "<dfn
+ <h6 id=link-type20><span class=secno>4.12.3.20.2. </span>Link type "<dfn
id=last title=rel-last><code>last</code></dfn>"</h6>
<p>The <code title=rel-last><a href="#last">last</a></code> keyword may be
@@ -34978,7 +34958,7 @@
treat the keyword "<code title="">end</code>" like the <code
title=rel-last><a href="#last">last</a></code> keyword.
- <h6 id=link-type21><span class=secno>4.13.3.20.3. </span>Link type "<dfn
+ <h6 id=link-type21><span class=secno>4.12.3.20.3. </span>Link type "<dfn
id=next title=rel-next><code>next</code></dfn>"</h6>
<p>The <code title=rel-next><a href="#next">next</a></code> keyword may be
@@ -34991,7 +34971,7 @@
indicates that the document is part of a sequence, and that the link is
leading to the document that is the next logical document in the sequence.
- <h6 id=link-type22><span class=secno>4.13.3.20.4. </span>Link type "<dfn
+ <h6 id=link-type22><span class=secno>4.12.3.20.4. </span>Link type "<dfn
id=prev title=rel-prev><code>prev</code></dfn>"</h6>
<p>The <code title=rel-prev><a href="#prev">prev</a></code> keyword may be
@@ -35009,7 +34989,7 @@
treat the keyword "<code title="">previous</code>" like the <code
title=rel-prev><a href="#prev">prev</a></code> keyword.
- <h5 id=other0><span class=secno>4.13.3.21. </span>Other link types</h5>
+ <h5 id=other0><span class=secno>4.12.3.21. </span>Other link types</h5>
<p>Other than the types defined above, only types defined as extensions in
the <a href="http://wiki.whatwg.org/wiki/RelExtensions">WHATWG Wiki
@@ -35138,7 +35118,7 @@
<p>This specification does not define how new values will get approved. It
is expected that the Wiki will have a community that addresses this.
- <h3 id=interfaces><span class=secno>4.14 </span>Interfaces for URI
+ <h3 id=interfaces><span class=secno>4.13 </span>Interfaces for URI
manipulation</h3>
<p>An interface that has a complement of <dfn id=uri-decomposition>URI
@@ -36732,7 +36712,7 @@
element with the keyboard focus, and then ended the drag-and-drop
operation without canceling it.
- <h4 id=security9><span class=secno>5.3.7 </span>Security risks in the
+ <h4 id=security8><span class=secno>5.3.7 </span>Security risks in the
drag-and-drop model</h4>
<p>User agents must not make the data added to the <code><a
@@ -38724,7 +38704,7 @@
<p>First, if the domain part of the script's <a href="#origin0">origin</a>
is not a host name (e.g. it is an IP address) then the UA must raise a <a
- href="#security10">security exception</a>. <span class=issue>We currently
+ href="#security9">security exception</a>. <span class=issue>We currently
don't allow connections to be set up back to an originating IP address,
but we could, if the subdomain is the empty string.</span>
@@ -38744,16 +38724,15 @@
65535,
</ul>
- <p>...then the UA must raise a <a href="#security10">security
- exception</a>.</p>
+ <p>...then the UA must raise a <a href="#security9">security exception</a>.</p>
<!-- XXX we should have our own port for this too, e.g. 980 -->
<p>Otherwise, the user agent must verify that the <a
href="#the-string0">the string representing the script's domain in IDNA
format</a> can be obtained without errors. If it cannot, then the user
- agent must raise a <a href="#security10">security exception</a>.
+ agent must raise a <a href="#security9">security exception</a>.
- <p>The user agent may also raise a <a href="#security10">security
+ <p>The user agent may also raise a <a href="#security9">security
exception</a> at this time if, for some reason, permission to create a
direct TCP connection to the relevant host is denied. Reasons could
include the UA being instructed by the user to not allow direct
@@ -38815,7 +38794,7 @@
href="#network1">network</a></code> attribute of the object must be set to
<a href="#the-string0">the string representing the script's domain in IDNA
format</a>. If this string cannot be obtained, then the user agent must
- raise a <a href="#security10">security exception</a> exception when the
+ raise a <a href="#security9">security exception</a> exception when the
constructor is called.
<p>The <code title=dom-Connection-peer><a href="#peer">peer</a></code>
@@ -38823,7 +38802,7 @@
<p>The object must then be returned, unless, for some reason, permission to
broadcast on the local network is to be denied. In the latter case, a <a
- href="#security10">security exception</a> must be raised instead. User
+ href="#security9">security exception</a> must be raised instead. User
agents may deny such permission for any reason, for example a user
preference.
@@ -38953,7 +38932,7 @@
href="#network1">network</a></code> attribute of the object must be set to
<a href="#the-string0">the string representing the script's domain in IDNA
format</a>. If this string cannot be obtained, then the user agent must
- raise a <a href="#security10">security exception</a> exception when the
+ raise a <a href="#security9">security exception</a> exception when the
constructor is called.
<p>The <code title=dom-Connection-peer><a href="#peer">peer</a></code>
@@ -38962,7 +38941,7 @@
<p>The object must then be returned, unless, for some reason, permission to
establish peer-to-peer connections is generally disallowed, for example
due to administrator settings. In the latter case, a <a
- href="#security10">security exception</a> must be raised instead.
+ href="#security9">security exception</a> must be raised instead.
<p>The user agent must then, typically while the script resumes execution,
find a remote host to establish a connection to. To do this it must start
Modified: source
===================================================================
--- source 2008-05-07 03:27:23 UTC (rev 1543)
+++ source 2008-05-07 04:03:40 UTC (rev 1544)
@@ -30418,10 +30418,11 @@
+ <h3>Structured client-side storage</h3>
- <h3 id="storage">Client-side session and persistent storage of name/value pairs</h3>
+ <h4 id="storage">Storing name/value pairs</h4>
- <h4>Introduction</h4>
+ <h5>Introduction</h5>
<p><em>This section is non-normative.</em></p>
@@ -30519,7 +30520,7 @@
convert it to a string.</p>
- <h4>The <code>Storage</code> interface</h4>
+ <h5>The <code>Storage</code> interface</h5>
<!-- XXX shouldn't we define somewhere how null values get handled
in these methods? Do they get converted to the empty string or
@@ -30629,7 +30630,7 @@
-->
- <h4>The <code title="dom-sessionStorage">sessionStorage</code> attribute</h4>
+ <h5>The <code title="dom-sessionStorage">sessionStorage</code> attribute</h5>
<p>The <dfn
title="dom-sessionStorage"><code>sessionStorage</code></dfn>
@@ -30695,7 +30696,7 @@
title="event-storage">described below</span>.</p>
- <h4>The <code title="dom-localStorage">localStorage</code> attribute</h4>
+ <h5>The <code title="dom-localStorage">localStorage</code> attribute</h5>
<p>The <dfn title="dom-localStorage"><code>localStorage</code></dfn>
object provides a <code>Storage</code> object for an
@@ -30736,7 +30737,7 @@
title="event-storage">described below</span>.</p>
- <h4>The <code title="event-storage">storage</code> event</h4>
+ <h5>The <code title="event-storage">storage</code> event</h5>
<p>The <dfn title="event-storage"><code>storage</code></dfn> event
is fired in an <code>HTMLDocument</code> when a storage area
@@ -30779,7 +30780,7 @@
otherwise.</p>
- <h5>Event definition</h5>
+ <h6>Event definition</h6>
<pre class="idl">interface <dfn>StorageEvent</dfn> : Event {
readonly attribute DOMString <span title="dom-StorageEvent-key">key</span>;
@@ -30820,35 +30821,6 @@
- <h4>Miscellaneous implementation requirements for storage areas</h4>
-
- <h5>Disk space</h5>
-
- <p>User agents should limit the total amount of space allowed for a
- storage area.</p>
-
- <p>User agents should guard against sites storing data in the
- storage areas of subdomains, e.g. storing up to the limit in
- a1.example.com, a2.example.com, a3.example.com, etc, circumventing
- the main example.com storage area's limit.</p>
-
- <p>User agents may prompt the user when quotas are reached, allowing
- the user to grant a site more space. This enables sites to store
- many user-created documents on the user's computer, for
- instance.</p>
-
- <p>User agents should allow users to see how much space each domain
- is using.</p>
-
- <p>If the storage area space limit is reached during a <code
- title="dom-Storage-setItem">setItem()</code> call, the method will
- raise an exception.</p>
-
- <p>A mostly arbitrary limit of five megabytes per domain is
- recommended. Implementation feedback is welcome and will be used to
- update this suggestion in future.</p>
-
-
<h5>Threads</h5>
<p>Multiple browsing contexts must be able to access the local
@@ -30877,197 +30849,17 @@
met.</p>
- <h4>Security and privacy</h4>
- <h5>User tracking</h5>
- <p>A third-party advertiser (or any entity capable of getting
- content distributed to multiple sites) could use a unique identifier
- stored in its local storage area to track a user across multiple
- sessions, building a profile of the user's interests to allow for
- highly targeted advertising. In conjunction with a site that is
- aware of the user's real identity (for example an e-commerce site
- that requires authenticated credentials), this could allow
- oppressive groups to target individuals with greater accuracy than
- in a world with purely anonymous Web usage.</p>
+ <h4 id="sql">Database storage</h4>
- <p>There are a number of techniques that can be used to mitigate the
- risk of user tracking:</p>
-
- <ul>
-
- <li>
-
- <p>Blocking third-party storage: user agents may restrict access
- to the <code title="dom-localStorage">localStorage</code> object
- to scripts originating at the domain of the top-level document of
- the <span>browsing context</span>, for instance denying access to
- the API for pages from other domains running in
- <code>iframe</code>s.</p>
-
- </li>
-
- <li>
-
- <p>Expiring stored data: user agents may automatically delete
- stored data after a period of time.</p>
-
- <p>For example, a user agent could treat third-party local
- storage areas as session-only storage, deleting the data once the
- user had closed all the <span>browsing contexts</span> that could
- access it.</p>
-
- <p>This can restrict the ability of a site to track a user, as the
- site would then only be able to track the user across multiple
- sessions when he authenticates with the site itself (e.g. by
- making a purchase or logging in to a service).</p>
-
- <p>However, this also puts the user's data at risk.</p>
-
- <!-- XXX should there be an explicit way for sites to state when
- data should expire? as in
- localStorage.expireData(365); ? -->
-
- </li>
-
- <li>
-
- <p>Treating persistent storage as cookies: user agents may present
- the persistent storage feature to the user in a way that does not
- distinguish it from HTTP session cookies. <a
- href="#refsRFC2965">[RFC2965]</a></p>
-
- <p>This might encourage users to view persistent storage with
- healthy suspicion.</p>
-
- </li>
-
- <li>
-
- <p>Site-specific white-listing of access to local storage areas:
- user agents may allow sites to access session storage areas in an
- unrestricted manner, but require the user to authorise access to
- local storage areas.</p>
-
- </li>
-
- <li>
-
- <p>Origin-tracking of persistent storage data: user agents may
- record the origins of sites that contained content from
- third-party origins that caused data to be stored.</p>
-
- <p>If this information is then used to present the view of data
- currently in persistent storage, it would allow the user to make
- informed decisions about which parts of the persistent storage to
- prune. Combined with a blacklist ("delete this data and prevent
- this domain from ever storing data again"), the user can restrict
- the use of persistent storage to sites that he trusts.</p>
-
- </li>
-
- <li>
-
- <p>Shared blacklists: user agents may allow users to share their
- persistent storage domain blacklists.</p>
-
- <p>This would allow communities to act together to protect their
- privacy.</p>
-
- </li>
-
- </ul>
-
- <p>While these suggestions prevent trivial use of this API for user
- tracking, they do not block it altogether. Within a single domain, a
- site can continue to track the user during a session, and can then
- pass all this information to the third party along with any
- identifying information (names, credit card numbers, addresses)
- obtained by the site. If a third party cooperates with multiple
- sites to obtain such information, a profile can still be
- created.</p>
-
- <p>However, user tracking is to some extent possible even with no
- cooperation from the user agent whatsoever, for instance by using
- session identifiers in URIs, a technique already commonly used for
- innocuous purposes but easily repurposed for user tracking (even
- retroactively). This information can then be shared with other
- sites, using using visitors' IP addresses and other user-specific
- data (e.g. user-agent headers and configuration settings) to combine
- separate sessions into coherent user profiles.</p>
-
-
- <h5>Cookie resurrection</h5>
-
- <p>If the user interface for persistent storage presents data in the
- persistent storage feature separately from data in HTTP session
- cookies, then users are likely to delete data in one and not the
- other. This would allow sites to use the two features as redundant
- backup for each other, defeating a user's attempts to protect his
- privacy.</p>
-
-
- <h5>DNS spoofing attacks</h5>
-
- <p>Because of the potential for DNS spoofing attacks, one cannot
- guarentee that a host claiming to be in a certain domain really is
- from that domain. To mitigate this, pages can use SSL. Pages using
- SSL can be sure that only pages using SSL that have certificates
- identifying them as being from the same domain can access their
- local storage areas.</p>
-
-
- <h5>Cross-directory attacks</h5>
-
- <p>Different authors sharing one host name, for example users
- hosting content on <code>geocities.com</code>, all share one
- persistent storage object. There is no feature to restrict the
- access by pathname. Authors on shared hosts are therefore
- recommended to avoid using the persistent storage feature, as it
- would be trivial for other authors to read from and write to the
- same storage area.</p>
-
- <p class="note">Even if a path-restriction feature was made
- available, the usual DOM scripting security model would make it
- trivial to bypass this protection and access the data from any
- path.</p>
-
-
- <h5>Implementation risks</h5>
-
- <p>The two primary risks when implementing this persistent storage
- feature are letting hostile sites read information from other
- domains, and letting hostile sites write information that is then
- read from other domains.</p>
-
- <p>Letting third-party sites read data that is not supposed to be
- read from their domain causes <em>information leakage</em>, For
- example, a user's shopping wishlist on one domain could be used by
- another domain for targeted advertising; or a user's
- work-in-progress confidential documents stored by a word-processing
- site could be examined by the site of a competing company.</p>
-
- <p>Letting third-party sites write data to the storage areas of
- other domains can result in <em>information spoofing</em>, which is
- equally dangerous. For example, a hostile site could add items to a
- user's wishlist; or a hostile site could set a user's session
- identifier to a known ID that the hostile site can then use to track
- the user's actions on the victim site.</p>
-
- <p>Thus, strictly following the model described in this
- specification is important for user security.</p>
-
-
-
- <h3 id="sql">Client-side database storage</h3>
-
<!-- Feature requests for future versions (v2):
* deleting databases
* determining how much storage room is left
* handling the database getting corrupted
-->
- <h4>Introduction</h4>
+ <h5>Introduction</h5>
<p><em>This section is non-normative.</em></p>
@@ -31082,7 +30874,7 @@
executeSql('SELECT rowid FROM t WHERE c IN (' + q + ')', array, ...);
-->
- <h4>Databases</h4>
+ <h5>Databases</h5>
<p>Each <i>origin</i> has an associated set of databases. Each
database has a name and a current version. There is no way to
@@ -31103,6 +30895,11 @@
an estimated size, in bytes, of the data that will be stored in the
database.</p>
+ <p>The <code title="dom-opendatabase">openDatabase()</code> method
+ must use and create databases from the <span>origin</span> of the
+ <span>active document</span> of the <code>Window</code> object on
+ which the method was invoked.</p>
+
<p>If the database version provided is not the empty string, and the
database already exists but has a different version, then the method
must raise an <code>INVALID_STATE_ERR</code> exception.</p>
@@ -31111,17 +30908,14 @@
in case the request violates a policy decision (e.g. if the user
agent is configured to not allow the page to open databases).</p>
- <p>Otherwise, if the database provided is the empty string, or if
- the database doesn't yet exist, or if the database exists and the
- version provided to the <code
+ <p>Otherwise, if the database version provided is the empty string,
+ or if the database doesn't yet exist, or if the database exists and
+ the version provided to the <code
title="dom-opendatabase">openDatabase()</code> method is the same as
the current version associated with the database, then the method
must return a <code>Database</code> object representing the database
- associated with the <span>origin</span> of the <span>active
- document</span> of the <span>browsing context</span> of the
- <code>Window</code> object on which the method was called that has
- the name that was given. If no such database exists, it must be
- created first.</p>
+ that has the name that was given. If no such database exists, it
+ must be created first.</p>
<p>All strings including the empty string are valid database
names. Database names are case-sensitive.</p>
@@ -31215,7 +31009,7 @@
</ol>
- <h4>Executing SQL statements</h4>
+ <h5>Executing SQL statements</h5>
<p>The <code title="dom-database-transaction">transaction()</code>
and <code title="dom-database-changeVersion">changeVersion()</code>
@@ -31312,15 +31106,7 @@
example, attempts to read from or write to the filesystem will
fail.</p>
- <p>User agents should limit the total amount of space allowed for
- each origin, but may prompt the user and extend the limit if a
- database is reaching its quota. User agents should allow users to
- see how much space each database is using.</p>
- <p>A mostly arbitrary limit of five megabytes per origin is
- recommended. Implementation feedback is welcome and will be used to
- update this suggestion in future.</p>
-
<p>SQL inherently supports multiple concurrent connections. Authors
should make appropriate use of the transaction features to handle
the case of multiple scripts interacting with the same database
@@ -31339,7 +31125,7 @@
define the exact SQL subset required in more detail.</p>
- <h4>Database query results</h4>
+ <h5>Database query results</h5>
<p>The <code title="dom-transaction-executeSql">executeSql()</code>
method invokes its callback with a <code>SQLResultSet</code> object
@@ -31370,8 +31156,9 @@
<p>The <dfn title="dom-SQLResultSet-rows"><code>rows</code></dfn>
attribute must return a <code>SQLResultSetRowList</code>
representing the rows returned, in the order returned by the
- database. If no rows were returned, then the object will be
- empty.</p>
+ database. If no rows were returned, then the object will be empty
+ (its <code title="dom-SQLResultSetRowList-length">length</code> will
+ be zero).</p>
<pre class="idl">interface <dfn>SQLResultSetRowList</dfn> {
readonly attribute unsigned long <span title="dom-SQLResultSetRowList-length">length</span>;
@@ -31398,7 +31185,7 @@
by the database.</p>
- <h4>Errors</h4>
+ <h5>Errors</h5>
<p>Errors in the database API are reported using callbacks that have
a <code>SQLError</code> object as one of their arguments.</p>
@@ -31478,7 +31265,7 @@
- <h4>Processing model</h4>
+ <h5>Processing model</h5>
<p>The <dfn>transaction steps</dfn> are as follows. These steps must
be run asynchronously. These steps are invoked with a <i>transaction
@@ -31595,26 +31382,219 @@
+ <h4>Disk space</h4>
+
+ <p>User agents should limit the total amount of space allowed for
+ storage areas and databases.</p>
+
+ <p>User agents should guard against sites storing data in the
+ storage areas or databases of subdomains, e.g. storing up to the
+ limit in a1.example.com, a2.example.com, a3.example.com, etc,
+ circumventing the main example.com storage limit.</p>
+
+ <p>User agents may prompt the user when quotas are reached, allowing
+ the user to grant a site more space. This enables sites to store
+ many user-created documents on the user's computer, for
+ instance.</p>
+
+ <p>User agents should allow users to see how much space each domain
+ is using.</p>
+
+ <!--<p>If the storage area space limit is reached during a <code
+ title="dom-Storage-setItem">setItem()</code> call, the method will
+ raise an exception.</p>-->
+
+ <p>A mostly arbitrary limit of five megabytes per domain is
+ recommended. Implementation feedback is welcome and will be used to
+ update this suggestion in future.</p>
+
+
<h4>Privacy</h4>
- <p>In contrast with the <code
- title="dom-localStorage">localStorage</code> feature, which
- intentionally allows data to be accessed across multiple domains,
- protocols, and ports (albeit in a controlled fashion), this database
- feature is limited to scripts running with the same
- <span>origin</span> as the database. Thus, it is expected that the
- privacy implications be equivalent to those already present in
- allowing scripts to communicate with their originating host.</p>
+ <h5>User tracking</h5>
- <p>User agents are encouraged to treat data stored in databases in
- the same way as cookies for the purposes of user interfaces, to
- reduce the risk of using this feature for cookie resurrection.</p>
+ <p>A third-party advertiser (or any entity capable of getting
+ content distributed to multiple sites) could use a unique identifier
+ stored in its local storage area or in its client-side database to
+ track a user across multiple sessions, building a profile of the
+ user's interests to allow for highly targeted advertising. In
+ conjunction with a site that is aware of the user's real identity
+ (for example an e-commerce site that requires authenticated
+ credentials), this could allow oppressive groups to target
+ individuals with greater accuracy than in a world with purely
+ anonymous Web usage.</p>
+ <p>There are a number of techniques that can be used to mitigate the
+ risk of user tracking:</p>
+ <ul>
+
+ <li>
+
+ <p>Blocking third-party storage: user agents may restrict access
+ to the <code title="dom-localStorage">localStorage</code> and
+ database objects to scripts originating at the domain of the
+ top-level document of the <span>browsing context</span>, for
+ instance denying access to the API for pages from other domains
+ running in <code>iframe</code>s.</p>
+
+ </li>
+
+ <li>
+
+ <p>Expiring stored data: user agents may automatically delete
+ stored data after a period of time.</p>
+
+ <p>For example, a user agent could treat third-party local
+ storage areas as session-only storage, deleting the data once the
+ user had closed all the <span>browsing contexts</span> that could
+ access it.</p>
+
+ <p>This can restrict the ability of a site to track a user, as the
+ site would then only be able to track the user across multiple
+ sessions when he authenticates with the site itself (e.g. by
+ making a purchase or logging in to a service).</p>
+
+ <p>However, this also puts the user's data at risk.</p>
+
+ <!-- XXX should there be an explicit way for sites to state when
+ data should expire? as in
+ localStorage.expireData(365); ? -->
+
+ </li>
+
+ <li>
+
+ <p>Treating persistent storage as cookies: user agents should
+ present the persistent storage and database features to the user
+ in a way that does not distinguish them from HTTP session
+ cookies. <a href="#refsRFC2965">[RFC2965]</a></p>
+
+ <p>This might encourage users to view persistent storage with
+ healthy suspicion.</p>
+
+ </li>
+
+ <li>
+
+ <p>Site-specific white-listing of access to local storage areas
+ and databases: user agents may allow sites to access session
+ storage areas in an unrestricted manner, but require the user to
+ authorise access to local storage areas and databases.</p>
+
+ </li>
+
+ <li>
+
+ <p>Origin-tracking of persistent storage data: user agents may
+ record the origins of sites that contained content from
+ third-party origins that caused data to be stored.</p>
+
+ <p>If this information is then used to present the view of data
+ currently in persistent storage, it would allow the user to make
+ informed decisions about which parts of the persistent storage to
+ prune. Combined with a blacklist ("delete this data and prevent
+ this domain from ever storing data again"), the user can restrict
+ the use of persistent storage to sites that he trusts.</p>
+
+ </li>
+
+ <li>
+
+ <p>Shared blacklists: user agents may allow users to share their
+ persistent storage domain blacklists.</p>
+
+ <p>This would allow communities to act together to protect their
+ privacy.</p>
+
+ </li>
+
+ </ul>
+
+ <p>While these suggestions prevent trivial use of these APIs for
+ user tracking, they do not block it altogether. Within a single
+ domain, a site can continue to track the user during a session, and
+ can then pass all this information to the third party along with any
+ identifying information (names, credit card numbers, addresses)
+ obtained by the site. If a third party cooperates with multiple
+ sites to obtain such information, a profile can still be
+ created.</p>
+
+ <p>However, user tracking is to some extent possible even with no
+ cooperation from the user agent whatsoever, for instance by using
+ session identifiers in URIs, a technique already commonly used for
+ innocuous purposes but easily repurposed for user tracking (even
+ retroactively). This information can then be shared with other
+ sites, using using visitors' IP addresses and other user-specific
+ data (e.g. user-agent headers and configuration settings) to combine
+ separate sessions into coherent user profiles.</p>
+
+
+ <h5>Cookie resurrection</h5>
+
+ <p>If the user interface for persistent storage presents data in the
+ persistent storage features separately from data in HTTP session
+ cookies, then users are likely to delete data in one and not the
+ other. This would allow sites to use the two features as redundant
+ backup for each other, defeating a user's attempts to protect his
+ privacy.</p>
+
+
<h4>Security</h4>
- <h5>User agents</h5>
+ <h5>DNS spoofing attacks</h5>
+ <p>Because of the potential for DNS spoofing attacks, one cannot
+ guarentee that a host claiming to be in a certain domain really is
+ from that domain. To mitigate this, pages can use SSL. Pages using
+ SSL can be sure that only pages using SSL that have certificates
+ identifying them as being from the same domain can access their
+ local storage areas and databases.</p>
+
+
+ <h5>Cross-directory attacks</h5>
+
+ <p>Different authors sharing one host name, for example users
+ hosting content on <code>geocities.com</code>, all share one
+ persistent storage object and one set of databases. There is no
+ feature to restrict the access by pathname. Authors on shared hosts
+ are therefore recommended to avoid using the persistent storage
+ features, as it would be trivial for other authors to read from and
+ write to the same storage area or database.</p>
+
+ <p class="note">Even if a path-restriction feature was made
+ available, the usual DOM scripting security model would make it
+ trivial to bypass this protection and access the data from any
+ path.</p>
+
+
+ <h5>Implementation risks</h5>
+
+ <p>The two primary risks when implementing these persistent storage
+ features are letting hostile sites read information from other
+ domains, and letting hostile sites write information that is then
+ read from other domains.</p>
+
+ <p>Letting third-party sites read data that is not supposed to be
+ read from their domain causes <em>information leakage</em>, For
+ example, a user's shopping wishlist on one domain could be used by
+ another domain for targeted advertising; or a user's
+ work-in-progress confidential documents stored by a word-processing
+ site could be examined by the site of a competing company.</p>
+
+ <p>Letting third-party sites write data to the storage areas of
+ other domains can result in <em>information spoofing</em>, which is
+ equally dangerous. For example, a hostile site could add items to a
+ user's wishlist; or a hostile site could set a user's session
+ identifier to a known ID that the hostile site can then use to track
+ the user's actions on the victim site.</p>
+
+ <p>Thus, strictly following the <span>origin</span> model described
+ in this specification is important for user security.</p>
+
+
+ <h5>SQL and user agents</h5>
+
<p>User agent implementors are strongly encouraged to audit all
their supported SQL statements for security implications. For
example, <code title="">LOAD DATA INFILE</code> is likely to pose
More information about the Commit-Watchers
mailing list