Re: [whatwg/storage] Moving text from HTML's web storage into the Storage Standard (#95)

> # Disk space
>
> User agents should limit the total amount of space allowed for storage areas, because hostile authors could otherwise use this feature to exhaust the user's available disk space.
>
> User agents should guard against sites storing data under their origin's other affiliated sites, e.g., storing up to the limit in a1.example.com, a2.example.com, a3.example.com, etc, circumventing the main example.com storage limit.
>
> User agents may prompt the user when quotas are reached, allowing the user to grant a site more space. This enables sites to store many user-created documents on the user's computer, for instance.
>
> User agents should allow users to see how much space each domain is using.
>
> A mostly arbitrary limit of five megabytes per origin is suggested. Implementation feedback is welcome and will be used to update this suggestion in the future.
>
> For predictability, quotas should be based on the uncompressed size of data stored.

https://www.w3.org/Bugs/Public/show_bug.cgi?id=21319#c3 is linked in the source for the last paragraph, which makes me question how much buy-in it has.

As part of Storage Standard discussions we have discussed origin vs site as well and my recollection is that in general we don't really want to put sites on a pedal and instead encourage mitigations that also work against a bad actor that has 10k to buy some registrable domains (or uses github.io or some such).

I think the other requirements are already captured by the existing text. The one exception is the 5 MiB limit. We might well want to keep that for localStorage/sessionStorage, but the current infrastructure doesn't cleanly allow for it. #69 might help with this I suppose.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/storage/issues/95#issuecomment-635990959

Received on Friday, 29 May 2020 14:06:41 UTC