Re: [whatwg/storage] Moving text from HTML's web storage into the Storage Standard (#95) from Domenic Denicola on 2020-06-09 (public-webapps-github@w3.org from June 2020)

From: Domenic Denicola <notifications@github.com>
Date: Tue, 09 Jun 2020 14:46:15 -0700
To: whatwg/storage <storage@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/storage/issues/95/641599070@github.com>

> 1. This is covered by https://whatpr.org/storage/93.html#management and being much more explicit about when data is created. The same rules as elsewhere apply. Unless anything suggests it's allowed, it's not.

I can't find anything in Storage that says user agents are allowed to clear session storage upon user request or for security reasons. I can only find storage pressure.

> 2. What it calls storage areas are storage bottles and they are still restricted as per #97. Making that advice more general would warrant more discussion. In general I like the balance between https://whatpr.org/storage/93.html#usage-and-quota and https://whatpr.org/storage/93.html#storage-pressure giving user agents more ability to let applications get hold of more storage if they need it (as well as removing things if they don't).

The sentence (2) talks about a limit on the total size consumed by all bottles. I cannot find a counterpart in Storage.

> 3. I covered this upthread.

Are you referring to

> As part of Storage Standard discussions we have discussed origin vs site as well and my recollection is that in general we don't really want to put sites on a pedal and instead encourage mitigations that also work against a bad actor that has 10k to buy some registrable domains (or uses github.io or some such).

If so, I'd like to get general confirmation that we want to remove this restriction. As I said above, it seems like Chrome does not intend to implement the restriction, and I guess maybe you're saying Firefox doesn't either?

> 4. I don't think we should be prompting the user and this model isn't really workable for a site that wants to store a lot of data. It gets an exception, then the user gets prompted, but how does the site know?

This seems reasonable, but I'd like us to note it as a normative change, since we're disallowing user agents from doing something. We should also ensure that no user agents are currently doing it.

> 5. Allowing users to clear sites is covered by https://whatpr.org/storage/93.html#ui-guidelines and I think that's good enough. I'm not convinced we should make the UI requirements that specific.

I'm hesitant to remove user-friendly normative text from the specification.

> 6. Discussed above.

Should we add the opposite statement? This seems important for interoperability... otherwise the 5 MiB quota is pretty meaningless.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/storage/issues/95#issuecomment-641599070

Received on Tuesday, 9 June 2020 21:46:27 UTC