[whatwg] Web Storage: apparent contradiction in spec

On Thu, Sep 3, 2009 at 8:56 AM, Ian Hickson<ian at hixie.ch> wrote:
> The fact that local storage can be used for cookie resurrection means we
> have to make sure that clearing one clears the other. Anything else would
> be a huge privacy issue (just as Flash has been).

The *only* reason Flash is a privacy issue is because there's no easy
way for users to clear its storage.  The issue here isn't the
technical details of how the storage works, but the UI.  Adobe, for
whatever reason, has chosen not to bother with helping Flash users
preserve their privacy, and because of lock-in, browser vendors are
unable to do anything about it.  All major browser vendors have a
track record of going to great lengths to ensure that their users'
privacy is protected from third-party websites.  I think it's safe to
say they'll compete to create good UI in this case -- even if
technically, the functionality of HTML 5 localStorage is identical to
that of Flash local storage.  The spec doesn't need to try specifying
UI here (especially since it seems like it will be ignored).

> Not necessarily indistuingushable, but the point is that the user
> should have a clear indication that just clearing cookies is pointless if
> the rest of the site's data isn't cleared also.

Users might wish to clear their cookies for reasons other than
privacy, such as because they're having login problems.

Received on Thursday, 3 September 2009 07:20:35 UTC