[whatwg] Web Storage: apparent contradiction in spec
beidson at apple.com
Tue Aug 25 15:40:14 PDT 2009
On Aug 25, 2009, at 3:31 PM, Michael Nordman wrote:
> The statement in section 4.3 doesn't appear to specify any
> behavior... its just an informational statement.
> The statement in section 6.1 suggests to prohibit the development of
> a UI that mentions local storage as a distinct repository seperate
> from cookies. This doesn't belong in the spec imho.
> I think both of these statements should be dropped from the spec.
If all browsers go through great lengths to ensure that this data is
as persistent as a local user file, but one browser decides it's only
a cache and can prune it at will, then developers cannot rely on it.
I don't think 4.3 should be dropped - I think it should be
strengthened to actually protect the data from any action not
authorized by the user.
Browsers who wish to treat it as a local cache that they can prune at
any time could give the user a checkbox labeled "Let me delete your
stored data whenever I want" and this would qualify. ;)
Yes, that's an unrealistic, hyperbolic example, but I stand by the
point it illustrates!
PS: I am ambivalent about section 6.1, other than to reiterate I don't
think the current language actually reflects the intended message.
> Ultimately I think UAs will have to prop up out-of-band
> permissioning schemes to make stronger guarantees about how long
> lived 'local data' that accumulates really is.
> On Tue, Aug 25, 2009 at 3:19 PM, Aaron Boodman <aa at google.com> wrote:
> On Tue, Aug 25, 2009 at 2:44 PM, Jeremy Orlow<jorlow at chromium.org>
> > Ok, well I guess we should go ahead and have this discussion
> now. :-) Does
> > anyone outside of Apple and Google have an opinion on the matter
> (since I
> > think it's pretty clear where we both stand).
> FWIW, I tend to agree more with the Apple argument :). I agree that
> the multiple malicious subdomains thing is unfortunate. Maybe the
> quotas should be per eTLD instead of -- or in addition to --
> per-origin? Malicious developers could then use multiple eTLDs, but at
> that point there is a real cost.
> Extensions are an example of an application that is less cloud-based.
> It would be unfortunate and weird for extension developers to have to
> worry about their storage getting tossed because the UA is running out
> of disk space.
> It seems more like if that happens the UA should direct the user to UI
> to free up some storage. If quotas were enforced at the eTLD level,
> wouldn't this be really rare?
> - a
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the whatwg