On Sep 1, 2009, at 12:11 AM, Adrian Sutton wrote:
On 01/09/2009 00:14, "Tab Atkins Jr." <jackalm...@gmail.com> wrote:
Sure, the ones using it for tracking that care *that much* will use
other solutions anyway. But people who just want some persistent
storage as part of their app, because it's useful to their users,
will
use the browser-native solution if it works. If LocalStorage is
explicitly supposed to be as ephemeral of cookies, though, that will
push people towards stuff like Flash LocalStorage instead.
No one in their right mind would use flash LocalStorage for user
critical
data.
This is wrong. That developers use Flash LocalStorage for this is not
hypothetical. It's the best option they have, so they've been doing
it - even though it has its own horrible flaws.
It's great for tracking because most users don't know how to clear
it, but because user's don't know about it they also don't back it
up or
transfer it to new computers/browsers etc.
Tracking aside, Flash LocalStorage *is* also used for storage of user
data. It is flawed for this, but the fact is: Flash LocalStorage is
currently the best way to store data on the client machine and have a
reasonable expectation that it will be there in the future. If HTML5
LocalStorage isn't *at least as reliable*, then developers will keep
using Flash.
That users don't know about it and don't know to back-up or transfer
this data is something that user agents have an interest to change,
but plug-in developers probably don't.
Besides which, there are already very popular UAs that have no
support for
Flash and thus no Flash LocalStorage. It would be nice to not
create the
same privacy hole on those platforms.
Equating HTML5 LocalStorage with a "privacy hole" seems to be a bit of
a hyperbole, and a bit unfounded. The fact that we're still having
this discussion is reflective of how much browser developers have
learned about the security of the web and our users data, and how
little we want to repeat past mistakes.
Flash LocalStorage is the *current* privacy hole, and we won't move
the web forward and bring this type of data into the light until we
can at least match the expectations developers already have.
~Brady
Regards,
Adrian Sutton.
______________________
Adrian Sutton, CTO
UK: +44 1 628 200 182 x481 US: +1 (650) 292 9659 x717
Ephox <http://www.ephox.com/>
Ephox Blogs <http://planet.ephox.com/>, Personal Blog
<http://www.symphonious.net/>