On Tue, Jul 28, 2009 at 9:30 PM, Peter Kasting <pkast...@chromium.org>wrote:
> On Tue, Jul 28, 2009 at 9:23 PM, Mike Beltzner <beltz...@mozilla.com>wrote: > >> All we're doing at this point is preventing malicious applications from >> eating up disk, really. >> > > Yep, I agree (although that may no longer be true in a few years as web > apps grow in power and complexity). > >> In the world of normal applications, you basically give them arbitrary >> permission to use your disk, but the good ones write some requirements ahead >> of time like "requires 200 MB free hard drive space" and warn you at install >> if you're below that. Can we make the UI more like that, where you make a >> single trust decision up front? Yes an app can lie, but normally-installed >> apps can lie too. Can we provide enough ranking and feedback somewhere to >> make this decision easier on users? For example, "57% of users chose to >> install <foo.com>, and gave it an average rating of 2.3 stars." >> >> >> Oooh, web of trust. There are some flaws. :) >> >> I do think the right answer here is to only get the user involved when the >> case seems pathological. Most uses of localStorage will be for "better than >> cookies," I suspect. >> > > One case I'm trying to prevent is getting separate requests, at different > times, from the same app. You get some up-front query about desktop > shortcuts, and then a query five minutes later about using your camera, and > then a year later about going over 5 MB of storage, and so on. Sucky. > Really all I care about is an up-front "let this do whatever the heck it > wants" versus "no thanks". > Another thing to consider is that, if our limits are per-origin (what most implementations use IIRC), a malicious attacker could easily use lots of host names (i.e. host1.bad-site.com through host10000000.bad-site.com) to still fill things up. I'm starting to wonder if some sort of web of trust or black list type solution is the only way to avoid users getting DOSed. J --~--~---------~--~----~------------~-------~--~----~ Chromium Developers mailing list: chromium-dev@googlegroups.com View archives, change email options, or unsubscribe: http://groups.google.com/group/chromium-dev -~----------~----~----~----~------~----~------~--~---