[whatwg] Web Storage: apparent contradiction in spec

On Mon, Aug 31, 2009 at 11:50 AM, Jens Alfke <snej at google.com> wrote:

> On Aug 31, 2009, at 11:35 AM, Peter Kasting wrote:
>
> Again, the spec now says in 4.3: "User agents should expire data from the
> local storage areas only for security reasons or when requested to do so by
> the user."  The only stronger statement you could get would be by changing
> this to a "must".  It's not clear to me that that is going to result in any
> practical difference on the part of implementations or author perception.
>
>
> If you combine that statement with section 6.1's "User agents should
> present the persistent storage feature to the user in a way that does not
> distinguish them from HTTP session cookies", then the result is that, when
> the user requests to delete cookies from a site, the UA will also delete
> that site's local storage. That is *exactly* the behavior I am concerned
> about.
>

That's not true.  You're misinterpreting a statement about the granularity
of control users should have as one about what terminology a UA should use.
 The spec already recommends a bunch of things about what users should be
shown w.r.t. Local Storage, such as how much space a site is using, so it's
clear that a UA that wants to comply with this "should" is going to need to
construct UI that doesn't just use the word "cookies" everywhere but
actually presents the data as "here's your locally stored data for this
site" with local storage content enumerated.  Users won't be given a prompt
that says "clear cookies" that, confusingly, clears more than cookies;
they'll be given a prompt like "clear all locally stored data".

It seems like you're convinced that UAs won't create UI users can
understand, and so you're trying to make the spec mandate what you think
will be comprehensible for users.  IMO this is not only out-of-scope but
pointless, as UAs are going to do what they want anyway.  The spec is
already pretty clear in telling UAs not to be casual about things, I don't
think you're going to change what actually gets implemented by demanding
more.

> This sounds like you are either completely ignoring, or disagreeing with,
> my claim that UAs aren't going to be flippant about this data.
>
>
> If UA's shouldn't treat the data lightly, then I would prefer to see a
> statement to that effect in the spec, such as the one that was just deleted.
>

The sentence I quoted in 4.3 says _exactly_ that UAs should not treat data
lightly.

I think that (no offense) browser developers are not used to taking care of
> user-critical data for longer than the duration of a DOM tree or POST
> request.
>

This kind of generalization is just silly.  See e.g. saved passwords,
extensions, stored browsing history, persistent settings, etc.

PK
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20090831/8da9edfd/attachment.htm>

Received on Monday, 31 August 2009 12:04:51 UTC