W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2015

[clear-site-data] implications on autofill / autocomplete behavior by browsers

From: Caleb Queern <cqueern@gmail.com>
Date: Mon, 20 Jul 2015 10:03:04 -0700
Message-ID: <CAEnXMMp9Gb2709F9EHJj-2UFwcu1M2w8CQRSrg=ko0HN7kDQ0g@mail.gmail.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Hello all,

Currently the abstract of the spec for Clear Site Data reads that CSD is:

"an imperative mechanism which allows web developers to instruct a user
agent to clear a user’s locally stored data related to a host and its
subdomains."

However, I don't believe the spec addresses some information that some
browsers retain related to a host and its subdomains, as it is currently
written. If I'm not mistaken, autofill (at least in Chrome) remembers the
searches I run against a site.

For example, when entering a query on a site's search field, if I've run
searches using that site's search field in the past, Chrome may begin
autofilling the input field with the searches I've run on that site in the
past.

That is to say, those traces of my previous visits are site-specific
(host-specific, not cross origin) yet would persist on the client even if
the developers implement Clear Site Data.

I'm not suggesting that the spec needs to address this specific behavior
but that it should be written to clarify that this example of locally
stored data related to a host and its subdomains is or is not cleared by
the CSD directive.
Received on Monday, 20 July 2015 17:11:11 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:13 UTC