[whatwg] Web Storage: apparent contradiction in spec

Linus Upson linus at google.com
Tue Aug 25 13:38:36 PDT 2009


It is important that all local state be treated as a cache. User agents need
to be free to garbage collect any local state. If they can't then attackers
(or the merely lazy) will be able to fill up the user's disk. We can't
expect web sites or users to do the chore of taking out the garbage. Better
user agents will have better garbage collection algorithms.
It would be better to remove section 4.3.

Linus


On Tue, Aug 25, 2009 at 1:18 PM, Jens Alfke <snej at google.com> wrote:

> I've just noticed an apparent self-contradiction in the Web Storage spec<http://dev.w3.org/html5/webstorage> (24
> August draft).
> Section 4.3 states:
>
> Data stored in local storage areas should be considered potentially
> user-critical. It is expected that Web applications will use the local
> storage areas for storing user-written documents.
>
>
> Section 6.1 states:
>
> User agents should present the persistent storage feature to the user in a
> way that does not distinguish them from HTTP session cookies.
>
>
> These statements are contradictory, because cookies don't store
> user-critical data such as documents. The user model of cookies is that
> they're conveniences (at best) for keeping you logged into a site or
> remembering preferences like font-size, so deleting them is no more than an
> inconvenience. If local storage is presented to the user as being cookies,
> then a user may delete it without understanding the consequences.
>
> Potential result: "I was having trouble logging into FooDocs.com, so my
> friend suggested I delete the cookies for that site. After that I could log
> in, but now the document I was working on this morning has lost all the
> changes I made! How do I get them back?"
>
> I suggest that the sub-section "Treating persistent storage as cookies" of
> section 6.1 be removed.
>
> —Jens
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20090825/a9040858/attachment-0002.htm>


More information about the whatwg mailing list