Bugzilla – Bug 18866
Make it clear that localStorage can be cleared by UA at will
Last modified: 2012-11-25 05:07:03 UTC
While I think it was originally intended that localStorage was to store such small amounts of data that was ok to keep the data around forever, this hasn't really seemed to work out in practice.
Users can easily accumulate large amounts of data for sites that he/she has only ever visited once. This because simply visiting a site can silently cause MB of data to be written to the users HD.
Our stance at mozilla has for a while now been that we don't want to write permanent data to the user's HD without consent from the user. "Consent from the user" in practice means either going through some explicit step indicating that the website is special (an "install" step, or simply bookmarking the website), or by asking the user if it's ok if we let the website store permanent data.
Authors are at this point depending on us not bringing up a prompt any time that localStorage is used, so that's not an option. And for most websites the user does not go through an explicit step to indicate that the website is special.
Hence our plan is to not make localStorage a permanent storage area by default. Instead we plan to clear out localStorage in an LRU-type fashion.
I *believe* that chrome is planning on doing something similar, but obviously needs to be confirmed by them.
It also appears that iOS 5.1 has made a similar decision.
jsbell clarified to me that lru meant "on an origin basis" and it might be worth clarifying wherever this is used otherwise folks are going to think that arbitrary key/value pairs are just going to vanish from their localStorage.
I also wanted to point out that there are some DOS attacks that you can imagine - i.e. imagine I have a page with 1000 iframes, 1000 origins that all put a a few key/values in their respective localstores. If the eviction policy is purely size-based, it could let bad sites flush your browser of local storage for other sites even if you just used them 5 minutes earlier, possibly effectively logging you out of other sites.
Yes, we should definitely make the requirement that if the UA clears data "automatically", i.e. without an explicit user action, it should clear the data for a whole origin. Not individual key/value pairs. (I don't have an opinion of that should be a MUST or SHOULD level requirement).
And yes, we shouldn't mandate any particular data-nuking policy. I'd definitely like to have something smarter than a plain LRU, though it's unclear how much smarts we'll build in the first step.
Please see the text at:
...and let me know if it's still insufficient to handle the cases described here.
Checked in as WHATWG revision r7540.
Check-in comment: Clarify that this can be a default behaviour.