[whatwg] Web Storage: apparent contradiction in spec

On Mon, Aug 31, 2009 at 11:01 AM, Jens Alfke <snej at google.com> wrote:

>
> On Aug 31, 2009, at 3:11 AM, Ian Hickson wrote:
>
>  We can't treat cookies and persistent storage differently, because
>> otherwise we'll expose users to cookie resurrection attacks. Maintaining
>> the user's expectations of privacy is critical.
>>
>
> The fact that local storage can be used as a type of super-cookie doesn't
> mean the two are the same thing. Yes, obviously if I give a website
> permission to put 50MB of stuff on my disk, it can use 1k of that as a type
> of cookie if it wants. That's just one of many reasons why user agents
> should require user approval for letting a domain access local storage.
>
> That does not mean that the "Delete Cookies" menu command should also
> delete local storage. Users often delete cookies to resolve login issues
> (I've had to do this with Google websites several times). Conflating the two
> can lead to disasters like "I told you to delete my COOKIES! Not my EMAIL
> DRAFTS that I was trying to log in to send!"


Agreed.


>  So I've removed the text that says that local storage could be
>> user-critical.
>>
>
> That's going to come as a shock to developers who were planning to use it
> for user-created data (whether drafts of content to be pushed to the cloud,
> or strictly-local documents.) Without this, the safe usage of local storage
> diminishes to a download cache.
>

Yes, this is pretty disconcerting since there's been OVERWHELMING support
for LocalStorage being treated as user-critical on this thread.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20090831/2cd61352/attachment.htm>

Received on Monday, 31 August 2009 11:12:42 UTC