[whatwg] Web Storage: apparent contradiction in spec

On Thu, Sep 3, 2009 at 5:48 PM, Peter Kasting<pkasting at google.com> wrote:
> On Thu, Sep 3, 2009 at 3:44 PM, Tab Atkins Jr. <jackalmage at gmail.com> wrote:
>> And more-than-a-cache-Storage can be explicitly turned off or have its
>> quota dropped to zero. ?If that's important, the browsers will make it
>> easy. ?And more importantly, they'll make it *consistent* (within the
>> browser), rather than the user having to figure out how to do it
>> within Flash, then possibly within the next technology that hacks
>> around this lack in browser technology, and the next one...
> As a UA author I see nothing in the spec that prevents this *now*.

Indeed, I don't either.  I'm not sure that Ian's considering that, as
an informed user who highly values his privacy, he would have such
controls available to him.

>> If this is important, browsers will
>> expose the ability to blow away all of a site's storages at once.
>> There's nothing to resurrect then. ?On the other hand, if someone
>> wants a site to keep its permanent Storage, then cookie resurrection
>> isn't a big deal.
>> You're seem to be assuming that either permanent Storage is *really*
>> permanent, or that browsers will never expose a way to delete that
>> data to the user (which amounts to the same). ?That's silly. ?The
>> whole *point* of specifying a permanent Storage in HTML is so browsers
>> can produce something that *they* control the UI for, rather than
>> leaving the user's privacy to unknown plugins and other hacky means.
> Again, this is precisely what we as UA authors can do now, with the current
> spec. ?I'm not sure what you're arguing. ?Our job is to make sure users
> whose philosophy is like Ian's are as well-served as users whose philosophy
> is like yours, and our hands are not tied.

You may have missed the part where Ian said that, to protect their
user's privacy, browsers *must* clear cookies and LocalStorage at the
same time.  This means that LocalStorage is exactly as ephemeral as
cookies, and is far too easy to blow away for authors to rely on.  I
regularly have semi-technical users of my intranet apps precede bug
reports with "I cleared my cookies, but that didn't do anything...".
I store next to nothing in cookies, so this is never useful, but
people have still internalized that action as a troubleshooting step
when a website is "broken".

People also clear cookies globally fairly often (you have to dig down
in FF to delete cookies on a site-specific basis).  This *will* make
people unintentionally blow away information they want to keep for
sites that are unrelated to the one they're having trouble with.


Received on Thursday, 3 September 2009 15:55:33 UTC