W3C home > Mailing lists > Public > whatwg@whatwg.org > April 2009

[whatwg] Private browsing vs. Storage and Databases

From: Ian Fette <ifette@google.com>
Date: Tue, 7 Apr 2009 17:55:53 -0700
Message-ID: <bbeaa26f0904071755n4858439ra5623f4547da22c7@mail.gmail.com>
Yes. An incognito session starts with a blank profile, so no cookies, no
cache, ...
On Tue, Apr 7, 2009 at 5:52 PM, Brady Eidson <beidson at apple.com> wrote:

> That's interesting.  I'm not exactly clear what an "incognito" session
> starts out with.  Does it start without any cookies, for example?
> ~Brady
>
> On Apr 7, 2009, at 5:39 PM, Ian Fette (????????) wrote:
>
> In Chrome/Chromium, "incognito" mode is basically a new profile that is in
> memory (plus or minus... the cache will never get written out to disk,
> although of course the memory pages could get swapped out and hit the disk
> that way...). The implication is that, for many of these features, things
> could just naturally get handled. That is, whilst the session is active,
> pages can still use a database / local storage / ... / and at the end of the
> session, when that profile is deleted, things will go away. I personally
> like that approach, as there may be legitimate reasons to want to use a
> database even for just a single session. (Perhaps someone wants to edit a
> spreadsheet and the spreadsheet app wants to use a database on the client as
> a backing store for fast edits, I don't know...). I just don't like the idea
> of saying "Sorry, incognito/private/... means a class of pages won't work"
> if there's no reason it has to be that way.
> In short, I would prefer something closest to Option 3. It lets pages just
> work, but respects the privacy wishes of the user. (AppCache / persistent
> workers are the one exception where I think Option3 doesn't apply and we
> need to figure something out.)
>
> -Ian
>
> On Tue, Apr 7, 2009 at 5:24 PM, Brady Eidson <beidson at apple.com> wrote:
>
>> A commonly added feature in browsers these days is "private browsing mode"
>> where the intention is that the user's browsing session leaves no footprint
>> on their machine.  Cookies, cache files, history, and other data that the
>> browser would normally store to disk are not updated during these private
>> browsing sessions.
>>
>> This concept is at odds with allowing pages to store data on the user's
>> machine as allowed by LocalStorage and Databases.  Surly persistent changes
>> during a private browsing session shouldn't be written to the user's disk as
>> that would violate the intention of a private browsing session.
>>
>> Let's take the specific case of LocalStorage, which is what I am currently
>> working on with WebKit.  In attempting to fix this bug I came up with a few
>> possible solutions:
>>
>> 1 - Disable LocalStorage completely when private browsing is on.  Remove
>> it from the DOM completely.
>> 2 - Disable LocalStorage mostly when private browsing is on.  It exists at
>> window.localStorage, but is empty and has a 0-quota.
>> 3 - Slide a "fake" LocalStorage object in when private browsing is
>> enabled.  It starts empty, changes to it are successful, but it is never
>> written to disk.  When private browsing is disabled, all changes to the
>> private browsing proxy are thrown out.
>> 4 - Cover the real LocalStorage object with a private browsing layer.  It
>> starts with all previously stored contents.  Any changes to it are pretended
>> to occur, but are never written to disk.  When private browsing is disabled,
>> all items revert to the state they were in when private browsing was enabled
>> and writing changes to disk is re-enabled.
>> 5 - Treat LocalStorage as read-only when private browsing is on.  It
>> exists, and all previously stored contents can be retrieved.  Any attempt to
>> setItem(), removeItem(), or clear() fail.
>>
>> Option 1 is simple but painful for applications to get such different
>> behavior.
>> Option 2 is only a little more complicated, but also seems unsatisfactory.
>> Option 3 is simple to implement and option 4 would difficult to implement
>> efficiently.  Both would lead to bizarre behavior where data that the
>> application thought was saved really wasn't.
>>
>> For now we're going with option 5.  setItem() during private browsing will
>> fail with the QUOTA_EXCEEDED_ERR the spec mentions.  removeItem() and
>> clear() will silently fail, since the spec assumes they always succeed and
>> doesn't provide a failure mechanism.
>>
>> It seems the same issues apply to all the storage mechanisms, be it
>> LocalStorage, SessionStorage (with optional session resuming), and
>> Databases.
>> I have a few questions I think it would be wise for the spec to address
>> for all of these:
>> 1 - What *should* the specified behavior be?
>> 2 - If read-only ends up being the specified behavior, should we have a
>> mechanism for removeItem() and clear() to demonstrate that they failed?
>>
>> Thanks,
>> ~Brady
>>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20090407/85dac2f8/attachment-0001.htm>
Received on Tuesday, 7 April 2009 17:55:53 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 22 January 2020 16:59:11 UTC