[webkit-dev] DOM Storage and private browsing

Jeremy Orlow jorlow at chromium.org
Wed May 20 14:12:35 PDT 2009

Oh, and I forgot to mention: given your philosophy on private browsing and
the potential for session data being written to disk in the future, I think
it's reasonable to disallow writing to SessionStorage while in private
browsing mode.  I'll add a comment in the StorageArea.cpp code explaining
this decision.


On Wed, May 20, 2009 at 2:01 PM, Jeremy Orlow <jorlow at chromium.org> wrote:

> Thanks a lot for the quick response.  This does clear up a lot for me.
> Hopefully I'll send my first DOM Storage re-factoring [1] patch out in a
> day or two.  Once the re-factoring is squared away, I'll try to tackle these
> inconsistencies.  (And, a little further out, I'm hoping to add Quota
> support and memory reclamation code.)  In the mean time I'll file a bug.
> Note that, with respect to some of these corner cases, I think Chromium's
> behavior may need diverge from the default WebKit behavior.  (For example,
> incognito mode will be different from WebKit's private browsing.)  That
> said, I think it should be pretty easy to handle these differences in a
> clean manner.
> Thanks,
> Jeremy
> [1] https://lists.webkit.org/pipermail/webkit-dev/2009-May/007684.html
> On Wed, May 20, 2009 at 1:38 PM, Brady Eidson <beidson at apple.com> wrote:
>> On May 20, 2009, at 1:03 PM, Jeremy Orlow wrote:
>> I'm pretty confused by the policy decisions in DOM Storage with respect to
>> private browsing.
>> Just to be clear, I understand that Safari's private browsing has a
>> different philosophy from Chromium's incognito mode.
>> Right.  To re-clarify for this discussion:
>> WebKit's private browsing feature exists as direct result of the design of
>> Safari's private browsing feature from many years ago.  Safari's private
>> browsing feature has always been about "do not leave any local footprint on
>> the user's disk pertaining to this browsing session" and has never been
>> about creating an anonymous profile for the wild.
>> Take a look at cookies, for example - a private browsing session starts
>> with an in-memory copy of the cookies that existed at the time the session
>> starts.  Any changes to cookies during the session are not persisted to
>> disk.  When the private browsing session is over, we revert back to the
>> stored cookies as they existed when private browsing began.
>> We definitely discussed applying that model to
>> LocalStorage, and it's certainly not off the table to do so.  But such a
>> solution would be much more complex,
>> and were more concerned with closing the "LocalStorage changes are written to disk during private browsing" bug in the meantime.
>> When in private browsing, both LocalStorage and SessionStorage return
>> QUOTA_EXCEEDED_ERR whenever setItem() is called and simply ignore
>> removeItem() and clear() calls.  This is different from the behavior when
>> LocalStorage persistence is disabled (because
>> page->settings()->localStorageDatabasePath() returns nothing) which returns
>> a LocalStorage object that is not database backed.
>> I think this is a bug.  The crux of the emails to whatwg that you
>> reference is that we have two strong convictions:
>> 1 - LocalStorage is guaranteed to be persistent.  We're giving web
>> developers simple, reliable, persistent storage and we plan to treat it like
>> user data that only the controlling web apps or users themselves can make
>> decisions about
>> 2 - Since LocalStorage is guaranteed to be persistent, we should never
>> give a web app the indication that we've stored some data when we actually
>> have no intention to store it.
>> If we can get a LocalStorage object that is not database backed, this goes
>> against that philosophy and is a potential bug.
>> According to a FIXME in LocalStorage::fullDatabaseFilename [2], there's
>> also plans to allow LocalStorage (but just not back it with a database) when
>> there is no quota.
>> The first question is why private browsing affects SessionStorage?  The
>> original email [1] on the matter didn't mention changing this, and I can't
>> see any reason why it needs to.
>> From the ChangeLog for r42302 - "...made the change to restrict
>> SessionStorage to read-only, also, with the understanding that the spec
>> allows for SessionStorage to persist across relaunches, even though our
>> implementation currently doesn't do this."
>> This may have been overzealous preparation for the future, but hopefully
>> it explains the thinking behind it.
>> Next, why the (planned) inconsistency in quota handling?  This seems to go
>> against the Apple view on LocalStorage persistence ("[doing this] would lead
>> to bizarre behavior where data that the application thought was saved really
>> wasn't" is the only example I could find in 1 minute, but I believe there's
>> others in [3] and other threads).  It also seems confusing that the script
>> would get a QUOTA_EXCEEDED_ERR if there's a tiny quota but would just get a
>> non-database backed storage if there's 0 quota.
>> As said above, if we can't back a LocalStorage object with a database, we
>> shouldn't be pretending to store data in it.  This is a bug.  Same with 0
>> quota.  It should probably end up having the read-only behavior as currently
>> implemented for private browsing.
>> Lastly, I have to ask (at the risk of rehashing [3]) why private browsing
>> gives access to data accumulated before entering private browsing (which
>> could be sensitive and user identifying!) and why it's considered ok to
>> silently ignore requests to clear/remove data (even though it's not OK
>> according to [1] to offer a non-persistent LocalStorage).
>> I'm bringing this up because (as far as I can tell) WebKit is not
>> consistent internally.  If any changes need to be made as a result of this
>> discussion, I'm happy to make them.  :-)
>> I started out with a description of Safari's Private Browsing philosophy
>> then clarified a few points on our LocalStorage philosophy.  Hopefully that
>> - combined with the acknowledgement of some bugs! - clears up the
>> inconsistencies.  ;)
>> As far as "silently ignoring requests to clear/remove data" - I personally
>> hate the fact that we silently ignore such requests.  One intent of my
>> original email to whatwg was to get a mechanism to ignore these requests
>> LOUDLY.  But unlike the setItem() case where the spec gave us an out in the
>> form of "QUOTA_EXCEEDED_ERR," there was no spec'ed behavior we could adapt
>> for the ignoring remove/clear requests.
>> From our viewpoint, there's two great reasons to have the "read-only
>> LocalStorage" mode.  One is our private browsing philosophy.  Two is the
>> other cases where changes to the LocalStorage object won't actually be saved
>> to disk (such as the "no database filename" or "0 quota") issues.
>> I completely understand that Chromium has a different philosophy with
>> Incognito mode versus Safari's private browsing.  But I think the "we should
>> never pretend to store data that we have no intention to store" philosophy
>> is a more fundamental WebKit issue.  WebKit shouldn't lie.  :)
>> ~Brady
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-dev/attachments/20090520/7d22caa8/attachment.html>

More information about the webkit-dev mailing list