are users going to select buckets to delete? mitigations for evercookies? #2
Comments
|
Generally, storage might have data that is not specific to the user and just helps with performance, like cached assets; so we don't need to clear that information on logout, but do need to clear user-specific information on logout. Another scenario is for storage constrained devices. We've encountered a non-trivial amount of devices that have very little storage quota, and having buckets makes it easier to reason about evicting less important data first when we need to clear space. We can improve the explainer and flesh out these scenarios more, but does my explanation attempt help @npdoty ? |
|
I can understand that sites may want to clear different subsets of cached data. But I'm still not clear, and the explainer seems inconsistent on this point, whether these buckets/categories are intended to be exposed to the user or whether the user is making decisions about them, or whether it's just the site that's dividing these categories and providing hints to a UA for use cases of automatic clearing. |
|
It's a good point, specifically that the explainer says this:
And this (emphasis added):
However, I don't think that means individual buckets will actually be user-visible. They don't have a human-readable name, nor would a user know what they contained. The phrase "distinguish persistent buckets in [...] UI" simply means that the user agent may provide a button like "clear temporary data for this origin to save space" separate from "obliterate all data for this origin to protect my privacy and save space". |
|
If the user won't have any insight or decision-making about the types of data in different buckets, then I think we should have a separate issue to consider the evercookies problem. Separating this into buckets has the risk of making evercookies more opaque and persistent, as presumably the developer will put that into the persistent bucket and the suggestion is that users will be extra cautioned (threatened?) not to clear persistent storage. |
|
I wouldn't expect users would be cautioned against clearing persistent storage. Chrome's clear browsing data dialog makes it very easy to delete all data or choose individual kinds of data to delete. Likewise the site details page allows users to delete all data without any kind of warning beyond:
Which I think is fair and non-threatening :) |
* Add algorithm for bucket removal * Update index.bs * update algorithms with remove * Fix wording * Fix wording #2
* Add IndexedDB text. (#46) * Updates around user visibility of buckets. * Add self as author. * Clarify wording. * Add bucket durability and IndexedDB text. * algorithm tag Co-authored-by: Evan Stade <[email protected]> * Add caches and getDirectory text. (#51) Co-authored-by: Evan Stade <[email protected]> * Creating a bucket (#48) * Spec for creating a bucket * fix english * Address comments * Algorithms for delete (#50) * Fix bad merge * Algorithm for keys() (#52) * Add caches and getDirectory text. (#47) * Updates around user visibility of buckets. * Add self as author. * Clarify wording. * Add bucket durability and IndexedDB text. * algorithm tag * caches and getDirectory * remove abbreviation Co-authored-by: Evan Stade <[email protected]> * Revert "Add caches and getDirectory text. (#47)" (#49) This reverts commit a2fa5bc. * Algorithm for keys() * fix append Co-authored-by: Evan Stade <[email protected]> Co-authored-by: Evan Stade <[email protected]> * spec-draft rebase (#53) * Add caches and getDirectory text. (#47) * Updates around user visibility of buckets. * Add self as author. * Clarify wording. * Add bucket durability and IndexedDB text. * algorithm tag * caches and getDirectory * remove abbreviation Co-authored-by: Evan Stade <[email protected]> * Revert "Add caches and getDirectory text. (#47)" (#49) This reverts commit a2fa5bc. Co-authored-by: Evan Stade <[email protected]> Co-authored-by: Evan Stade <[email protected]> * Enhance IDB, CacheStorage algorithms. (#54) * Enhance IDB, CacheStorage algorithms. Also distinguish between the conceptual bottle and the StorageBottle object in the open() definition. * algo tags Co-authored-by: Evan Stade <[email protected]> * Add more algorithms for StorageBucket attributes. (#55) * Add more algorithms for StorageBucket attributes. * reference StorageEstimate object Co-authored-by: Evan Stade <[email protected]> * Enhancements. (#56) * Enhancements. 1. Specify when expired buckets are removed. 2. Improve some text around durability, quota. * fix some link errors * or equal to * Review updates Co-authored-by: Evan Stade <[email protected]> * Write persist/persisted algos (#57) * Write persist/persisted algos * no backticks on true Co-authored-by: Evan Stade <[email protected]> * Fill in some error types. (#58) * Write persist/persisted algos * no backticks on true * Fill in some error types. * Indentation fixes * Fix redundant step. * Streamline delete bucket. Co-authored-by: Evan Stade <[email protected]> * Add Clear Site Data. (#59) * Add Clear Site Data. Most of this text needs to be worked into various parts of the CSD spec. * Better annotations Co-authored-by: Evan Stade <[email protected]> * Address review feedback (#63) Co-authored-by: Evan Stade <[email protected]> * Spec draft (#64) * Address review feedback * additional review comment --------- Co-authored-by: Evan Stade <[email protected]> * Spec draft (#65) * Address review feedback * additional review comment --------- Co-authored-by: Evan Stade <[email protected]> * Spec draft (#66) * Address review feedback * additional review comment --------- Co-authored-by: Evan Stade <[email protected]> * fix typo (#67) Co-authored-by: Evan Stade <[email protected]> * Address comments (#68) * Use TypeError * Update index.bs * null or undefined * s/and/, then/ * backticks instead of <code> * Address comments #2 (#69) * durability value * quota value * expiration value * Address comments 3 (#70) * quota value in bytes * code point * Operate open bucket on storage bucket map * use bucket map & update persist() (#71) * Expand usage of bucket map * remove the * Use bucket map for clear site data * short-circuit if bucket is already persistent * Update time & expiration (#72) * Update time * Update time 2 * check for null bucket expiration * parse duration string * Fix link to html spec * make durability() not async (#73) * Address comments (#74) * Update to use TypeError instead of UnknownError * Remove obtaining |storageKey| * Fix parallel steps * Fix dfn for storage usage * Fix parallel steps for keys() & delete() * Fix delete() * Handle undefined quota * Use wall time * UA bucket clearing wording * Add bucket to bucket map on creation * Fix indent * Add algorithm for bucket removal (#75) * Add algorithm for bucket removal * Update index.bs * update algorithms with remove * Fix wording * Fix wording #2 * Add issues for storage endpoint quota eviction (#77) * Address comments (#78) * Address comments * Fix bucket removal step * Add Service Worker deletion to issue * Remove string parsing step for expires * Update duration to moment * get or expire a bucket * Allow UA bucket deletion on expiration * Nit * Apply suggestions by @jyasskin Co-authored-by: Jeffrey Yasskin <[email protected]> * Update expiration (#80) * expiration time * Specify moment on the wall clock * Use [=Unix epoch=] * Mark -> set * Fix expiration comparison * Apply jyasskin@'s suggestions Use "before" instead of "less than or equal" Co-authored-by: Jeffrey Yasskin <[email protected]> * Use queue a task (#81) * Use [=queue a task=] * Additional changes * Update persist() and add note on Promises (#82) * Fix persist() to not reference [=this=] in parallel steps * Note on promises --------- Co-authored-by: Evan Stade <[email protected]> Co-authored-by: Ayu Ishii <[email protected]> Co-authored-by: Jeffrey Yasskin <[email protected]>
It may be helpful to flesh out the key scenarios as soon as you can, as I may just be misunderstanding the proposal.
One possibility of specifying different buckets that can be cleared separately is to encourage users to clear only some but not everything from an origin. Is that a goal here? There are privacy risks to partial clearing: problems with evercookies have typically led us to suggest that user agents should clear all data related to an origin simultaneously so that it can't be continually re-spawned.
Similarly, I'm not sure how the goal of helping users on shared devices will be accomplished.
The text was updated successfully, but these errors were encountered: