[whatwg] Web Storage: apparent contradiction in spec

James Graham jgraham at opera.com
Mon Aug 31 14:04:31 PDT 2009 

Quoting Ian Hickson <ian at hixie.ch>:

> On Tue, 25 Aug 2009, Jens Alfke wrote:
>> Potential result: "I was having trouble logging into FooDocs.com,   
>> so my friend
>> suggested I delete the cookies for that site. After that I could log in, but
>> now the document I was working on this morning has lost all the changes I
>> made! How do I get them back?"
>>
>> I suggest that the sub-section "Treating persistent storage as cookies" of
>> section 6.1 be removed.
>
> We can't treat cookies and persistent storage differently, because
> otherwise we'll expose users to cookie resurrection attacks. Maintaining
> the user's expectations of privacy is critical.

I think the paragraph under "treating persistent storage as cookies"  
should simply be removed. The remainder of that section already does  
an adequate job of explaining the privacy implications of persistent  
storage. The UI should be entirely at the discretion of the browser  
vendor since it involves a variety of tradeoffs, with the optimum  
solution depending on the anticipated user base of the browser.  
Placing spec requirements simply limits the abilities of browser  
vendors to find innovative solutions to the problem. In addition,  
since there is no interoperability requirement here, using RFC 2119  
language seems inappropriate; especially since the justification given  
is rather weak ("this might encourage users?") and not supported by  
any evidence.

As to what browser vendors should actually _do_, it seems to me that  
the "user's expectations of privacy" is actually an illusion in this  
case; all the bad stuff that can be done with persistent storage can  
already be done using a variety of techniques. Trying to fix up this  
one case seems like closing the stable door after the horse has  
bolted. Therefore the "delete local storage when you delete cookies"  
model seems flawed, particularly as it can lead to the type of problem  
that Jens described above.

On a slightly different topic, it is unclear what the relationship  
between the statement in section 4.3 "User agents should expire data  
from the local storage areas only for security reasons or when  
requested to do so by the user" and the statement in section 6.1 "User  
agents may automatically delete stored data after a period of time."  
is supposed to be. Does the latter count as a security reason?

More information about the whatwg mailing list