- From: James Graham <jgraham@opera.com>
- Date: Mon, 31 Aug 2009 21:04:31 +0000
Quoting Ian Hickson <ian at hixie.ch>: > On Tue, 25 Aug 2009, Jens Alfke wrote: >> Potential result: "I was having trouble logging into FooDocs.com, >> so my friend >> suggested I delete the cookies for that site. After that I could log in, but >> now the document I was working on this morning has lost all the changes I >> made! How do I get them back?" >> >> I suggest that the sub-section "Treating persistent storage as cookies" of >> section 6.1 be removed. > > We can't treat cookies and persistent storage differently, because > otherwise we'll expose users to cookie resurrection attacks. Maintaining > the user's expectations of privacy is critical. I think the paragraph under "treating persistent storage as cookies" should simply be removed. The remainder of that section already does an adequate job of explaining the privacy implications of persistent storage. The UI should be entirely at the discretion of the browser vendor since it involves a variety of tradeoffs, with the optimum solution depending on the anticipated user base of the browser. Placing spec requirements simply limits the abilities of browser vendors to find innovative solutions to the problem. In addition, since there is no interoperability requirement here, using RFC 2119 language seems inappropriate; especially since the justification given is rather weak ("this might encourage users?") and not supported by any evidence. As to what browser vendors should actually _do_, it seems to me that the "user's expectations of privacy" is actually an illusion in this case; all the bad stuff that can be done with persistent storage can already be done using a variety of techniques. Trying to fix up this one case seems like closing the stable door after the horse has bolted. Therefore the "delete local storage when you delete cookies" model seems flawed, particularly as it can lead to the type of problem that Jens described above. On a slightly different topic, it is unclear what the relationship between the statement in section 4.3 "User agents should expire data from the local storage areas only for security reasons or when requested to do so by the user" and the statement in section 6.1 "User agents may automatically delete stored data after a period of time." is supposed to be. Does the latter count as a security reason?
Received on Monday, 31 August 2009 14:04:31 UTC