[whatwg] Web Storage: apparent contradiction in spec

On Sep 1, 2009, at 12:11 AM, Adrian Sutton wrote:

> On 01/09/2009 00:14, "Tab Atkins Jr." <jackalmage at gmail.com> wrote:
>> Sure, the ones using it for tracking that care *that much* will use
>> other solutions anyway.  But people who just want some persistent
>> storage as part of their app, because it's useful to their users,  
>> will
>> use the browser-native solution if it works.  If LocalStorage is
>> explicitly supposed to be as ephemeral of cookies, though, that will
>> push people towards stuff like Flash LocalStorage instead.
>
> No one in their right mind would use flash LocalStorage for user  
> critical
> data.

This is wrong.  That developers use Flash LocalStorage for this is not  
hypothetical.  It's the best option they have, so they've been doing  
it - even though it has its own horrible flaws.

> It's great for tracking because most users don't know how to clear
> it, but because user's don't know about it they also don't back it  
> up or
> transfer it to new computers/browsers etc.

Tracking aside, Flash LocalStorage *is* also used for storage of user  
data.  It is flawed for this, but the fact is:  Flash LocalStorage is  
currently the best way to store data on the client machine and have a  
reasonable expectation that it will be there in the future.  If HTML5  
LocalStorage isn't *at least as reliable*, then developers will keep  
using Flash.

That users don't know about it and don't know to back-up or transfer  
this data is something that user agents have an interest to change,  
but plug-in developers probably don't.

> Besides which, there are already very popular UAs that have no  
> support for
> Flash and thus no Flash LocalStorage.  It would be nice to not  
> create the
> same privacy hole on those platforms.

Equating HTML5 LocalStorage with a "privacy hole" seems to be a bit of  
a hyperbole, and a bit unfounded.  The fact that we're still having  
this discussion is reflective of how much browser developers have  
learned about the security of the web and our users data, and how  
little we want to repeat past mistakes.

Flash LocalStorage is the *current* privacy hole, and we won't move  
the web forward and bring this type of data into the light until we  
can at least match the expectations developers already have.

~Brady


>
> Regards,
>
> Adrian Sutton.
> ______________________
> Adrian Sutton, CTO
> UK: +44 1 628 200 182 x481  US: +1 (650) 292 9659 x717
> Ephox <http://www.ephox.com/>
> Ephox Blogs <http://planet.ephox.com/>, Personal Blog
> <http://www.symphonious.net/>
>

Received on Tuesday, 1 September 2009 09:27:19 UTC