Quoting Ian Hickson <i...@hixie.ch>:
On Tue, 25 Aug 2009, Jens Alfke wrote:
Potential result: "I was having trouble logging into FooDocs.com,
so my friend
suggested I delete the cookies for that site. After that I could log in, but
now the document I was working on this morning has lost all the changes I
made! How do I get them back?"
I suggest that the sub-section "Treating persistent storage as cookies" of
section 6.1 be removed.
We can't treat cookies and persistent storage differently, because
otherwise we'll expose users to cookie resurrection attacks. Maintaining
the user's expectations of privacy is critical.
I think the paragraph under "treating persistent storage as cookies"
should simply be removed. The remainder of that section already does
an adequate job of explaining the privacy implications of persistent
storage. The UI should be entirely at the discretion of the browser
vendor since it involves a variety of tradeoffs, with the optimum
solution depending on the anticipated user base of the browser.
Placing spec requirements simply limits the abilities of browser
vendors to find innovative solutions to the problem. In addition,
since there is no interoperability requirement here, using RFC 2119
language seems inappropriate; especially since the justification given
is rather weak ("this might encourage users?") and not supported by
any evidence.
As to what browser vendors should actually _do_, it seems to me that
the "user's expectations of privacy" is actually an illusion in this
case; all the bad stuff that can be done with persistent storage can
already be done using a variety of techniques. Trying to fix up this
one case seems like closing the stable door after the horse has
bolted. Therefore the "delete local storage when you delete cookies"
model seems flawed, particularly as it can lead to the type of problem
that Jens described above.
On a slightly different topic, it is unclear what the relationship
between the statement in section 4.3 "User agents should expire data
from the local storage areas only for security reasons or when
requested to do so by the user" and the statement in section 6.1 "User
agents may automatically delete stored data after a period of time."
is supposed to be. Does the latter count as a security reason?
