- From: Mike West <mkwst@google.com>
- Date: Tue, 21 Jul 2015 06:38:01 +0200
- To: Caleb Queern <cqueern@gmail.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-ID: <CAKXHy=dhXux0SS8HM_FR0kZmLr5H47RtjJawyA4fcpTUmKFCrw@mail.gmail.com>
Hey Caleb! On Mon, Jul 20, 2015 at 7:03 PM, Caleb Queern <cqueern@gmail.com> wrote: > > "an imperative mechanism which allows web developers to instruct a user > agent to clear a user’s locally stored data related to a host and its > subdomains." > I changed this yesterday based on your earlier email to refer to a "site's" data rather than a "user's" data. I'll probably need to rephrase it again, since the data isn't _really_ the site's, but I hope the intent is more clear. > However, I don't believe the spec addresses some information that some > browsers retain related to a host and its subdomains, as it is currently > written. If I'm not mistaken, autofill (at least in Chrome) remembers the > searches I run against a site. > Autofill and password manager data are interesting, but I don't think this API should allow a site to remove them. I think there's a relevant distinction between data that a site directly affects via imperative (indexed db) or declarative (the network cache) mechanisms on the one hand, and data that the user agent stores on a user's behalf on the other. The latter seems outside the scope of the feature, as it should be strictly under the user's control; I expect we'd generate data loss issues if we had a blanket policy of removing everything the user agent knows about a website. I'm not suggesting that the spec needs to address this specific behavior > but that it should be written to clarify that this example of locally > stored data related to a host and its subdomains is or is not cleared by > the CSD directive. > I'll try to be more explicit in the privacy considerations section. In short, this doesn't intend to provide a user-facing privacy control which would allow users to deny historical activity on a site. That's something that's well-suited to a browser's own UI, but shouldn't be the responsibility of the web developer. -- Mike West <mkwst@google.com>, @mikewest Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Tuesday, 21 July 2015 04:38:50 UTC