- From: Mike West <mkwst@google.com>
- Date: Fri, 12 Jun 2015 16:25:51 +0200
- To: "public-webappsec@w3.org" <public-webappsec@w3.org>
- Cc: Brad Hill <hillbrad@gmail.com>, Tanvi Vyas <tanvi@mozilla.com>, Jake Archibald <jakearchibald@google.com>, Alex Russell <slightlyoff@google.com>, Jonas Sicking <jonas@sicking.cc>
- Message-ID: <CAKXHy=fVFk+W7WZbj=5UYVaFYH8wphJnv3=BSNU9Zr0nPRz4LQ@mail.gmail.com>
TL;DR: Strawman spec at https://mikewest.github.io/webappsec/specs/clear-site-data/. Feedback welcome! Hello, lovely denizens of public-webappsec and public-webapps! # Use Cases In some conversations with some application developers, the idea of allowing an origin some declarative mechanism of clearing out all locally stored data has come up a few times in various contexts. Folks see such a mechanism as a step towards recovering from annoyingly persistent XSS attacks, or as a mechanism for ensuring that user data doesn't persist on disk after logout. # Workarounds Site authors can remove data from a number of storage mechanisms via JavaScript, but others are difficult to deal with reliably. Consider cookies, for instance, which can be partially cleared via JavaScript access to `document.cookie`. `HttpOnly` cookies, however, can only be removed via a number of `Set-Cookie` headers in an HTTP response. This, of course, requires exhaustive knowledge of all the cookies set for a host, which can be complicated to ascertain. Cache is still harder; no imperative interface to a browser’s network cache exists, period. # Proposal I've taken a stab at sketching out what such an API might look like, and I'd appreciate any feedback you might have: https://mikewest.github.io/webappsec/specs/clear-site-data/. It's intentionally quite simple: an (authenticated and encrypted) HTTP response that contains a `Clear-Site-Data: *` header will trigger clearing. Cookies may be excluded via `Clear-Site-Data: retainCookies`. Subdomains may be included via `Clear-Site-Data: *; includeSubdomains`. More examples are available at https://mikewest.github.io/webappsec/specs/clear-site-data/#examples. My hope is that this functionality maps pretty cleanly onto the kinds of data-clearing functionality that user agents already offer to users, and so won't be a terrible stretch for implementers. WDYT? Is something like this strawman appealing as work that either WebAppSec or WebApps could take on? CCing a few folks who I've poked at about these topics in the recent past. -- Mike West <mkwst@google.com>, @mikewest Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Friday, 12 June 2015 14:26:40 UTC