[whatwg] Web Storage: apparent contradiction in spec

Ian Hickson ian at hixie.ch
Thu Sep 3 05:56:41 PDT 2009 

On Mon, 31 Aug 2009, Jens Alfke wrote:
> On Aug 31, 2009, at 3:11 AM, Ian Hickson wrote:
> > 
> > We can't treat cookies and persistent storage differently, because 
> > otherwise we'll expose users to cookie resurrection attacks. 
> > Maintaining the user's expectations of privacy is critical.
> 
> The fact that local storage can be used as a type of super-cookie 
> doesn't mean the two are the same thing.

The fact that local storage can be used for cookie resurrection means we 
have to make sure that clearing one clears the other. Anything else would 
be a huge privacy issue (just as Flash has been).


> That's just one of many reasons why user agents should require user 
> approval for letting a domain access local storage.

I disagree that they should, and more importantly, as shipped in multiple 
browsers, they don't, which likely means we can never make it such that 
UAs require user approval.


> That does not mean that the "Delete Cookies" menu command should also 
> delete local storage. Users often delete cookies to resolve login issues 
> (I've had to do this with Google websites several times). Conflating the 
> two can lead to disasters like "I told you to delete my COOKIES! Not my 
> EMAIL DRAFTS that I was trying to log in to send!"

Certainly the UI issues around this are non-trivial, and one would hope 
that the UA will help the user handle these cases securely. But authors 
equally don't want to end up with the more insidious situation of 
companies tracking them without their knowledge even though they think 
they are safe due to clearing cookies.


> > So I've removed the text that says that local storage could be user- 
> > critical.
> 
> That's going to come as a shock to developers who were planning to use 
> it for user-created data (whether drafts of content to be pushed to the 
> cloud, or strictly-local documents.) Without this, the safe usage of 
> local storage diminishes to a download cache.

I don't see what else we can do.


On Mon, 31 Aug 2009, Jeremy Orlow wrote:
> 
> Yes, this is pretty disconcerting since there's been OVERWHELMING 
> support for LocalStorage being treated as user-critical on this thread.

It doesn't matter how much support a proposal gets, only technical merits 
matter here.


On Mon, 31 Aug 2009, Peter Kasting wrote:
> 
> It seems like you're convinced that UAs won't create UI users can 
> understand, and so you're trying to make the spec mandate what you think 
> will be comprehensible for users.  IMO this is not only out-of-scope but 
> pointless, as UAs are going to do what they want anyway.  The spec is 
> already pretty clear in telling UAs not to be casual about things, I 
> don't think you're going to change what actually gets implemented by 
> demanding more.

Indeed.


On Wed, 2 Sep 2009, Peter Kasting wrote:
> 
> It still seems like you are interpreting this statement as saying that 
> the UA must not allow users to keep/clear cookies separately from Local 
> Storage data.  While on the face of it that seems like a possible 
> interpretation, I think it's clear that this would be a lousy user 
> experience and detrimental to developers as well.  Therefore I am 
> convinced that the intent of the statement is to say that UAs must give 
> users the same _abilities_ to see and clear Local Storage data as they 
> already have with cookies, not that the two things should always be 
> lumped together and made indistinguishable.

Not necessarily indistuingushable, but the point is that the user 
should have a clear indication that just clearing cookies is pointless if 
the rest of the site's data isn't cleared also.

I've tried to clarify the text a bit here.


On Mon, 31 Aug 2009, Mike Shaver wrote:
> On Mon, Aug 31, 2009 at 6:11 AM, Ian Hickson<ian at hixie.ch> wrote:
> > We can't treat cookies and persistent storage differently, because 
> > otherwise we'll expose users to cookie resurrection attacks. 
> > Maintaining the user's expectations of privacy is critical.
> 
> By that reasoning we can't treat cookies differently from the HTTP cache 
> (ETag) or history (URIs with session IDs), I think.

Indeed; that's an issue for the HTTP spec, though, and is out of scope 
for Web Storage and HTML5.


> I don't know of any UAs that expire history/cookie/cache in sync to 
> avoid correlations -- if it's even possible to do so -- and I don't 
> think I've seen any bugs asking Firefox to do so.

It's a lot easier to do cookie resurrection with local storage than with 
the HTTP cache, but I imagine that if anyone ever gets around to doing it 
with the cache, this will suddenly surge in the public consciousness, so 
it might be something to deal with in advance anyway.


On Tue, 1 Sep 2009, Linus Upson wrote:
> On Mon, Aug 31, 2009 at 3:11 AM, Ian Hickson <ian at hixie.ch> wrote:
> > >
> > > In addition, I'd like to see the pop-up dialogs for the location API 
> > > removed. I find the "Can I know where you are?" dialogs on the 
> > > iPhone very annoying. Mistakes were made. Perhaps we can find a way 
> > > to make <input type="location"> work well instead.
> >
> > The geolocation model is asynchronous, which gets around this neatly 
> > (the UI can slide in and the user can ignore it until he's ready to 
> > give his location).
> 
> Please take in to account that email is asynchronous but spam is still 
> annoying.

I don't really see this as analogous.

-- 
Ian Hickson               U+1047E                )\._.,--....,'``.    fL
http://ln.hixie.ch/       U+263A                /,   _.. \   _\  ;`._ ,.
Things that are impossible just take longer.   `._.-(,_..'--(,_..'`-.;.'

More information about the whatwg mailing list