[whatwg] Web Storage: apparent contradiction in spec from Tab Atkins Jr. on 2009-08-31 (public-whatwg-archive@w3.org from August 2009)

From: Tab Atkins Jr. <jackalmage@gmail.com>
Date: Mon, 31 Aug 2009 13:36:41 -0500
Message-ID: <dd0fbad0908311136xd95f556s13f75124f19907a8@mail.gmail.com>

On Mon, Aug 31, 2009 at 5:11 AM, Ian Hickson<ian at hixie.ch> wrote:
> On Tue, 25 Aug 2009, Jens Alfke wrote:
>>
>> I've just noticed an apparent self-contradiction in the Web Storage spec (24
>> August draft).
>>
>> Section 4.3 states:
>> > Data stored in local storage areas should be considered potentially
>> > user-critical. It is expected that Web applications will use the local
>> > storage areas for storing user-written documents.
>>
>> Section 6.1 states:
>> > User agents should present the persistent storage feature to the user in a
>> > way that does not distinguish them from HTTP session cookies.
>>
>> These statements are contradictory, because cookies don't store user-critical
>> data such as documents. The user model of cookies is that they're conveniences
>> (at best) for keeping you logged into a site or remembering preferences like
>> font-size, so deleting them is no more than an inconvenience. If local storage
>> is presented to the user as being cookies, then a user may delete it without
>> understanding the consequences.
>>
>> Potential result: "I was having trouble logging into FooDocs.com, so my friend
>> suggested I delete the cookies for that site. After that I could log in, but
>> now the document I was working on this morning has lost all the changes I
>> made! How do I get them back?"
>>
>> I suggest that the sub-section "Treating persistent storage as cookies" of
>> section 6.1 be removed.
>
> We can't treat cookies and persistent storage differently, because
> otherwise we'll expose users to cookie resurrection attacks. Maintaining
> the user's expectations of privacy is critical.
>
> So I've removed the text that says that local storage could be
> user-critical.

Outlawing persistent storage in HTML5 as a privacy mechanism does
*nothing* for privacy.  There are numerous methods, Flash LocalStorage
in particular, that can and will be used to achieve what we developers
want.  These methods will be *harder* for the end-user to monitor and
control, and result in privacy violations being *easier*.

What you see as a reasonable step to protect privacy, we see as an
admonition that we'd better get used to Flash, because it's here to
stay.

~TJ

Received on Monday, 31 August 2009 11:36:41 UTC