[whatwg] Web Storage: apparent contradiction in spec

Brady Eidson beidson at apple.com
Tue Aug 25 15:40:14 PDT 2009

On Aug 25, 2009, at 3:31 PM, Michael Nordman wrote:

> The statement in section 4.3 doesn't appear to specify any  
> behavior... its just an informational statement.
> The statement in section 6.1 suggests to prohibit the development of  
> a UI that mentions local storage as a distinct repository seperate  
> from cookies. This doesn't belong in the spec imho.
> I think both of these statements should be dropped from the spec.

If all browsers go through great lengths to ensure that this data is  
as persistent as a local user file, but one browser decides it's only  
a cache and can prune it at will, then developers cannot rely on it.

I don't think 4.3 should be dropped - I think it should be  
strengthened to actually protect the data from any action not  
authorized by the user.

Browsers who wish to treat it as a local cache that they can prune at  
any time could give the user a checkbox labeled "Let me delete your  
stored data whenever I want" and this would qualify.  ;)

Yes, that's an unrealistic, hyperbolic example, but I stand by the  
point it illustrates!


PS: I am ambivalent about section 6.1, other than to reiterate I don't  
think the current language actually reflects the intended message.

> Ultimately I think UAs will have to prop up out-of-band  
> permissioning schemes to make stronger guarantees about how long  
> lived 'local data' that accumulates really is.
> On Tue, Aug 25, 2009 at 3:19 PM, Aaron Boodman <aa at google.com> wrote:
> On Tue, Aug 25, 2009 at 2:44 PM, Jeremy Orlow<jorlow at chromium.org>  
> wrote:
> > Ok, well I guess we should go ahead and have this discussion  
> now.  :-)  Does
> > anyone outside of Apple and Google have an opinion on the matter  
> (since I
> > think it's pretty clear where we both stand).
> FWIW, I tend to agree more with the Apple argument :). I agree that
> the multiple malicious subdomains thing is unfortunate. Maybe the
> quotas should be per eTLD instead of -- or in addition to --
> per-origin? Malicious developers could then use multiple eTLDs, but at
> that point there is a real cost.
> Extensions are an example of an application that is less cloud-based.
> It would be unfortunate and weird for extension developers to have to
> worry about their storage getting tossed because the UA is running out
> of disk space.
> It seems more like if that happens the UA should direct the user to UI
> to free up some storage. If quotas were enforced at the eTLD level,
> wouldn't this be really rare?
> - a

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20090825/57577bcd/attachment-0002.htm>

More information about the whatwg mailing list