- From: poot <cvsmail@w3.org>
- Date: 2012年3月13日 15:34:57 -0400
- To: public-html-diffs@w3.org
- Message-Id: <E1S7XUn-0008MN-Gi@jay.w3.org>
webstorage; hixie: Add ellipse support to canvas. (whatwg r7025) http://dev.w3.org/cvsweb/html5/webstorage/Overview.html?r1=1.186&r2=1.187&f=h http://html5.org/tools/web-apps-tracker?from=7024&to=7025 =================================================================== RCS file: /sources/public/html5/webstorage/Overview.html,v retrieving revision 1.186 retrieving revision 1.187 diff -u -d -r1.186 -r1.187 --- Overview.html 28 Nov 2011 23:05:09 -0000 1.186 +++ Overview.html 13 Mar 2012 19:34:29 -0000 1.187 @@ -1,4 +1,4 @@ -<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN"><html lang="en-US-x-Hixie"><title>Web Storage</title><style type="text/css"> +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html lang="en-US-x-Hixie"><title>Web Storage</title><style type="text/css"> pre { margin-left: 2em; white-space: pre-wrap; } h2 { margin: 3em 0 1em 0; } h3 { margin: 2.5em 0 1em 0; } @@ -210,16 +210,18 @@ } return null; } - </script><div class="head" id="head"> + </script><body> + <div class="head" id="head"> <p><a href="http://www.w3.org/"><img alt="W3C" height="48" src="http://www.w3.org/Icons/w3c_home" width="72"></a></p> <h1>Web Storage</h1> - <h2 class="no-num no-toc" id="editor-s-draft-28-november-2011">Editor's Draft 28 November 2011</h2> + <h2 class="no-num no-toc" id="editor-s-draft-13-march-2012">Editor's Draft 13 March 2012</h2> <dl><dt>Latest Published Version:</dt> <dd><a href="http://www.w3.org/TR/webstorage/">http://www.w3.org/TR/webstorage/</a></dd> <dt>Latest Editor's Draft:</dt> <dd><a class="latest-link" href="http://dev.w3.org/html5/webstorage/">http://dev.w3.org/html5/webstorage/</a></dd> + <dt>Previous Versions:</dt> <dd><a href="http://www.w3.org/TR/2011/WD-webstorage-20110208/">http://www.w3.org/TR/2011/WD-webstorage-20110208/</a></dd> <dd><a href="http://www.w3.org/TR/2009/WD-webstorage-20091222/">http://www.w3.org/TR/2009/WD-webstorage-20091222/</a></dd> @@ -246,18 +248,37 @@ <!-- UNDER NO CIRCUMSTANCES IS THE PRECEDING PARAGRAPH TO BE REMOVED OR EDITED WITHOUT TALKING TO IAN FIRST --> - </div><hr class="top"><h2 class="no-num no-toc" id="abstract">Abstract</h2><p>This specification defines an API for persistent data storage of - key-value pair data in Web clients.<h2 class="no-num no-toc" id="status-of-this-document">Status of This document</h2><p><em>This section describes the status of this document at the + </div> + + <hr class="top"><h2 class="no-num no-toc" id="abstract">Abstract</h2> + + <p>This specification defines an API for persistent data storage of + key-value pair data in Web clients.</p> + + + <h2 class="no-num no-toc" id="status-of-this-document">Status of This document</h2> + + + + + <p><em>This section describes the status of this document at the time of its publication. Other documents may supersede this document. A list of current W3C publications and the most recently formally published <!-- DO NOT CHANGE THIS BACK TO THE STANDARD BOILERPLATE, AS IT IS INACCURATE --> revision of this technical report can be found in the <a href="http://www.w3.org/TR/">W3C technical reports index</a> at - http://www.w3.org/TR/.</em></p><p>If you wish to make comments regarding this document in a manner + http://www.w3.org/TR/.</em></p> + + + + + <p>If you wish to make comments regarding this document in a manner that is tracked by the W3C, please submit them via using <a href="http://www.w3.org/Bugs/Public/enter_bug.cgi?product=HTML%20WG">our public bug database</a>. If you do not have an account then you can - enter feedback using this form:<form action="http://www.whatwg.org/specs/web-apps/current-work/file-spam.cgi" method="post"> + enter feedback using this form:</p> + + <form action="http://www.whatwg.org/specs/web-apps/current-work/file-spam.cgi" method="post"> <fieldset><legend>Feedback Comments</legend> <input name="id" type="hidden" value="top"><input name="component" type="hidden" value="Web Storage (editor: Ian Hickson)"><input name="response" type="hidden" value="html"><p><label for="feedbackBox">Please enter your feedback, carefully indicating the title of the section for which you are submitting @@ -289,18 +310,28 @@ </script><p> <input onclick="return checkFeedbackForm(form)" type="submit" value="Submit feedback"><small>(Note: Your IP address and user agent will be publicly recorded for spam prevention purposes.)</small> </p> - </fieldset></form><p>You can also e-mail feedback to <a href="mailto:public-webapps@w3.org">public-webapps@w3.org</a> (<a href="mailto:public-webapps-request@w3.org?subject=subscribe">subscribe</a>, + </fieldset></form> + + + <p>You can also e-mail feedback to <a href="mailto:public-webapps@w3.org">public-webapps@w3.org</a> (<a href="mailto:public-webapps-request@w3.org?subject=subscribe">subscribe</a>, <a href="http://lists.w3.org/Archives/Public/public-webapps/">archives</a>), or <a href="mailto:whatwg@whatwg.org">whatwg@whatwg.org</a> (<a href="http://lists.whatwg.org/listinfo.cgi/whatwg-whatwg.org">subscribe</a>, <a href="http://lists.whatwg.org/pipermail/whatwg-whatwg.org/">archives</a>). - All feedback is welcome.</p><p>Implementors should be aware that this specification is not + All feedback is welcome.</p> + + + <p>Implementors should be aware that this specification is not stable. <strong>Implementors who are not taking part in the discussions are likely to find the specification changing out from under them in incompatible ways.</strong> Vendors interested in implementing this specification before it eventually reaches the Candidate Recommendation stage should join the aforementioned - mailing lists and take part in the discussions.<div id="multipage-common"> - </div><p>The latest + mailing lists and take part in the discussions.</p> + + <div id="multipage-common"> + </div> + + <p>The latest stable version of the editor's draft of this specification is always available on <a href="http://dev.w3.org/html5/webstorage/">the W3C CVS server</a> and in the <a href="http://svn.whatwg.org/webapps/">WHATWG @@ -308,9 +339,12 @@ editor's working copy</a> (which may contain unfinished text in the process of being prepared) contains the latest draft text of this specification (amongst others). For more details, please see the <a href="http://wiki.whatwg.org/wiki/FAQ#What_are_the_various_versions_of_the_spec.3F">WHATWG - FAQ</a>.<p>Notifications of changes to this specification are sent along + FAQ</a>.</p> + + <p>Notifications of changes to this specification are sent along with notifications of changes to related specifications using the - following mechanisms:<dl><dt>E-mail notifications of changes</dt> + following mechanisms:</p> + <dl><dt>E-mail notifications of changes</dt> <dd>Commit-Watchers mailing list (complete source diffs): <a href="http://lists.whatwg.org/listinfo.cgi/commit-watchers-whatwg.org">http://lists.whatwg.org/listinfo.cgi/commit-watchers-whatwg.org</a></dd> <dt>Browsable version-control record of all changes:</dt> <dd>CVSWeb interface with side-by-side diffs: <a href="http://dev.w3.org/cvsweb/html5/">http://dev.w3.org/cvsweb/html5/</a></dd> @@ -319,24 +353,38 @@ </dl><p>The W3C <a href="http://www.w3.org/2008/webapps/">Web Applications Working Group</a> is the W3C working group responsible for this specification's progress along the W3C Recommendation track. - This specification is the 28 November 2011 Editor's Draft. - </p><p>This document was produced by a group operating under the <a href="http://www.w3.org/Consortium/Patent-Policy-20040205/">5 + This specification is the 13 March 2012 Editor's Draft. + </p> + + + + <p>This document was produced by a group operating under the <a href="http://www.w3.org/Consortium/Patent-Policy-20040205/">5 February 2004 W3C Patent Policy</a>. W3C maintains a <a href="http://www.w3.org/2004/01/pp-impl/42538/status" rel="disclosure">public list of any patent disclosures</a> made in connection with the deliverables of the group; that page also includes instructions for disclosing a patent. An individual who has actual knowledge of a patent which the individual believes contains <a href="http://www.w3.org/Consortium/Patent-Policy-20040205/#def-essential">Essential Claim(s)</a> must disclose the information in accordance with <a href="http://www.w3.org/Consortium/Patent-Policy-20040205/#sec-Disclosure">section - 6 of the W3C Patent Policy</a>.<h2 class="no-num no-toc" id="issues">Issues</h2><p>The use of the storage mutex to avoid race conditions is + 6 of the W3C Patent Policy</a>.</p> + + + <h2 class="no-num no-toc" id="issues">Issues</h2> + + <p>The use of the storage mutex to avoid race conditions is currently considered by certain implementors to be too high a performance burden, to the point where allowing data corruption is considered preferable. Alternatives that do not require a user-agent-wide per-origin script lock are eagerly sought after. If reviewers have any suggestions, they are urged to send them to the - addresses given in the previous section.<p>More details regarding this issue are available in these - e-mails (as well as <a href="http://lists.whatwg.org/mmsearch.cgi/whatwg-whatwg.org?config=whatwg-whatwg.org&restrict=&exclude=&method=and&format=short&sort=revtime&words=storage+mutex">numerous others</a>):<ul><li><a href="http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2009-September/023059.html">http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2009-September/023059.html</a></li> + addresses given in the previous section.</p> + + <p>More details regarding this issue are available in these + e-mails (as well as <a href="http://lists.whatwg.org/mmsearch.cgi/whatwg-whatwg.org?config=whatwg-whatwg.org&restrict=&exclude=&method=and&format=short&sort=revtime&words=storage+mutex">numerous others</a>):</p> + <ul><li><a href="http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2009-September/023059.html">http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2009-September/023059.html</a></li> <li><a href="http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2009-December/024277.html">http://lists.whatwg.org/htdig.cgi/whatwg-whatwg.org/2009-December/024277.html</a></li> </ul><h2 class="no-num no-toc" id="contents">Table of Contents</h2> + + <ol class="toc"> <li><a href="#introduction"><span class="secno">1 </span>Introduction</a></li> <li><a href="#conformance-requirements"><span class="secno">2 </span>Conformance requirements</a> @@ -366,19 +414,32 @@ <li><a href="#implementation-risks"><span class="secno">7.3 </span>Implementation risks</a></ol></li> <li><a class="no-num" href="#references">References</a></li> <li><a class="no-num" href="#acknowledgements">Acknowledgements</a></ol> -<hr><h2 id="introduction"><span class="secno">1 </span>Introduction</h2><p><i>This section is non-normative.</i><p>This specification introduces two related mechanisms, similar to + + <hr><h2 id="introduction"><span class="secno">1 </span>Introduction</h2> + + <p><i>This section is non-normative.</i></p> + + <p>This specification introduces two related mechanisms, similar to HTTP session cookies, for storing structured data on the client - side. <a href="#refsCOOKIES">[COOKIES]</a><p>The first is designed for scenarios where the user is carrying + side. <a href="#refsCOOKIES">[COOKIES]</a></p> + + <p>The first is designed for scenarios where the user is carrying out a single transaction, but could be carrying out multiple - transactions in different windows at the same time.<p>Cookies don't really handle this case well. For example, a user + transactions in different windows at the same time.</p> + + <p>Cookies don't really handle this case well. For example, a user could be buying plane tickets in two different windows, using the same site. If the site used cookies to keep track of which ticket the user was buying, then as the user clicked from page to page in both windows, the ticket currently being purchased would "leak" from one window to the other, potentially causing the user to buy two - tickets for the same flight without really noticing.<p>To address this, this specification introduces the <code title="dom-sessionStorage"><a href="#dom-sessionstorage">sessionStorage</a></code> IDL attribute. + tickets for the same flight without really noticing.</p> + + <p>To address this, this specification introduces the <code title="dom-sessionStorage"><a href="#dom-sessionstorage">sessionStorage</a></code> IDL attribute. Sites can add data to the session storage, and it will be accessible - to any page from the same site opened in that window.</p><div class="example"> + to any page from the same site opened in that window.</p> + + <div class="example"> <p>For example, a page could have a checkbox that the user ticks to indicate that he wants insurance:</p> @@ -396,13 +457,23 @@ <p>If the user had multiple windows opened on the site, each one would have its own individual copy of the session storage object.</p> - </div><p>The second storage mechanism is designed for storage that spans + </div> + + + + <p>The second storage mechanism is designed for storage that spans multiple windows, and lasts beyond the current session. In particular, Web applications may wish to store megabytes of user data, such as entire user-authored documents or a user's mailbox, on - the client side for performance reasons.<p>Again, cookies do not handle this case well, because they are - transmitted with every request.<p>The <code title="dom-localStorage"><a href="#dom-localstorage">localStorage</a></code> IDL - attribute is used to access a page's local storage area.<div class="example"> + the client side for performance reasons.</p> + + <p>Again, cookies do not handle this case well, because they are + transmitted with every request.</p> + + <p>The <code title="dom-localStorage"><a href="#dom-localstorage">localStorage</a></code> IDL + attribute is used to access a page's local storage area.</p> + + <div class="example"> <p>The site at example.com can display a count of how many times the user has loaded its page by putting the following at the bottom @@ -420,26 +491,50 @@ document.getElementById('count').textContent = localStorage.pageLoadCount; </script></pre> - </div><p>Each site has its own separate storage area.<h2 id="conformance-requirements"><span class="secno">2 </span>Conformance requirements</h2><p>All diagrams, examples, and notes in this specification are + </div> + + <p>Each site has its own separate storage area.</p> + + + + + + <h2 id="conformance-requirements"><span class="secno">2 </span>Conformance requirements</h2> + + <p>All diagrams, examples, and notes in this specification are non-normative, as are all sections explicitly marked non-normative. - Everything else in this specification is normative.<p>The key words "MUST", "MUST NOT", "REQUIRED", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and + Everything else in this specification is normative.</p> + + <p>The key words "MUST", "MUST NOT", "REQUIRED", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in the normative parts of this document are to be interpreted as described in RFC2119. For readability, these words do - not appear in all uppercase letters in this specification. <a href="#refsRFC2119">[RFC2119]</a><p>Requirements phrased in the imperative as part of algorithms + not appear in all uppercase letters in this specification. <a href="#refsRFC2119">[RFC2119]</a></p> + + <p>Requirements phrased in the imperative as part of algorithms (such as "strip any leading space characters" or "return false and abort these steps") are to be interpreted with the meaning of the key word ("must", "should", "may", etc) used in introducing the - algorithm.<p>Some conformance requirements are phrased as requirements on + algorithm.</p> + + <p>Some conformance requirements are phrased as requirements on attributes, methods or objects. Such requirements are to be - interpreted as requirements on user agents.<p>Conformance requirements phrased as algorithms or specific steps + interpreted as requirements on user agents.</p> + + <p>Conformance requirements phrased as algorithms or specific steps may be implemented in any manner, so long as the end result is equivalent. (In particular, the algorithms defined in this specification are intended to be easy to follow, and not intended to - be performant.)<p>The only conformance class defined by this specification is user - agents.<p>User agents may impose implementation-specific limits on + be performant.)</p> + + <p>The only conformance class defined by this specification is user + agents.</p> + + <p>User agents may impose implementation-specific limits on otherwise unconstrained inputs, e.g. to prevent denial of service attacks, to guard against running out of memory, or to work around - platform-specific limitations.<p>When support for a feature is disabled (e.g. as an emergency + platform-specific limitations.</p> + + <p>When support for a feature is disabled (e.g. as an emergency measure to mitigate a security problem, or to aid in development, or for performance reasons), user agents must act as if they had no support for the feature whatsoever, and as if the feature was not @@ -447,8 +542,15 @@ feature is accessed via an attribute in a Web IDL interface, the attribute itself would be omitted from the objects that implement that interface — leaving the attribute on the object but - making it return null or throw an exception is insufficient.<h3 id="dependencies"><span class="secno">2.1 </span>Dependencies</h3><p>This specification relies on several other underlying - specifications.<dl><dt>HTML</dt> + making it return null or throw an exception is insufficient.</p> + + + <h3 id="dependencies"><span class="secno">2.1 </span>Dependencies</h3> + + <p>This specification relies on several other underlying + specifications.</p> + + <dl><dt>HTML</dt> <dd> @@ -466,79 +568,140 @@ </dd> - </dl><h2 id="terminology"><span class="secno">3 </span>Terminology</h2><p>The construction "a <code title="">Foo</code> object", where + </dl><h2 id="terminology"><span class="secno">3 </span>Terminology</h2> + + <p>The construction "a <code title="">Foo</code> object", where <code title="">Foo</code> is actually an interface, is sometimes used instead of the more accurate "an object implementing the - interface <code title="">Foo</code>".<p>The term DOM is used to refer to the API set made available to + interface <code title="">Foo</code>".</p> + + <p>The term DOM is used to refer to the API set made available to scripts in Web applications, and does not necessarily imply the existence of an actual <code>Document</code> object or of any other <code>Node</code> objects as defined in the DOM Core - specifications. <a href="#refsDOMCORE">[DOMCORE]</a><p>An IDL attribute is said to be <em>getting</em> when its value is + specifications. <a href="#refsDOMCORE">[DOMCORE]</a></p> + + <p>An IDL attribute is said to be <em>getting</em> when its value is being retrieved (e.g. by author script), and is said to be - <em>setting</em> when a new value is assigned to it.<p>The term "JavaScript" is used to refer to ECMA262, rather than + <em>setting</em> when a new value is assigned to it.</p> + + + <p>The term "JavaScript" is used to refer to ECMA262, rather than the official term ECMAScript, since the term JavaScript is more - widely known. <a href="#refsECMA262">[ECMA262]</a><h2 id="storage"><span class="secno">4 </span>The API</h2><h3 id="the-storage-interface"><span class="secno">4.1 </span>The <code><a href="#storage-0">Storage</a></code> interface</h3><pre class="idl">interface <dfn id="storage-0">Storage</dfn> { + widely known. <a href="#refsECMA262">[ECMA262]</a></p> + + + + + <h2 id="storage"><span class="secno">4 </span>The API</h2> + + <h3 id="the-storage-interface"><span class="secno">4.1 </span>The <code><a href="#storage-0">Storage</a></code> interface</h3> + + <pre class="idl">interface <dfn id="storage-0">Storage</dfn> { readonly attribute unsigned long <a href="#dom-storage-length" title="dom-Storage-length">length</a>; DOMString? <a href="#dom-storage-key" title="dom-Storage-key">key</a>(unsigned long index); getter DOMString <a href="#dom-storage-getitem" title="dom-Storage-getItem">getItem</a>(DOMString key); setter creator void <a href="#dom-storage-setitem" title="dom-Storage-setItem">setItem</a>(DOMString key, DOMString value); deleter void <a href="#dom-storage-removeitem" title="dom-Storage-removeItem">removeItem</a>(DOMString key); void <a href="#dom-storage-clear" title="dom-Storage-clear">clear</a>(); -};</pre><p>Each <code><a href="#storage-0">Storage</a></code> object provides access to a list of +};</pre> + + + + <p>Each <code><a href="#storage-0">Storage</a></code> object provides access to a list of key/value pairs, which are sometimes called items. Keys are strings. Any string (including the empty string) is a valid - key. Values are similarly strings.<p>Each <code><a href="#storage-0">Storage</a></code> object is associated with a list of + key. Values are similarly strings.</p> + + <p>Each <code><a href="#storage-0">Storage</a></code> object is associated with a list of key/value pairs when it is created, as defined in the sections on the <code title="dom-sessionStorage"><a href="#dom-sessionstorage">sessionStorage</a></code> and <code title="dom-localStorage"><a href="#dom-localstorage">localStorage</a></code> attributes. Multiple separate objects implementing the <code><a href="#storage-0">Storage</a></code> interface can all be associated with the same list of key/value pairs - simultaneously.<p>The <dfn id="dom-storage-length" title="dom-Storage-length"><code>length</code></dfn> + simultaneously.</p> + + <p>The <dfn id="dom-storage-length" title="dom-Storage-length"><code>length</code></dfn> attribute must return the number of key/value pairs currently - present in the list associated with the object.<p>The <dfn id="dom-storage-key" title="dom-Storage-key"><code>key(<var title="">n</var>)</code></dfn> method must return the name of the + present in the list associated with the object.</p> + + <p>The <dfn id="dom-storage-key" title="dom-Storage-key"><code>key(<var title="">n</var>)</code></dfn> method must return the name of the <var title="">n</var>th key in the list. The order of keys is user-agent defined, but must be consistent within an object so long as the number of keys doesn't change. (Thus, <a href="#dom-storage-setitem" title="dom-Storage-setItem">adding</a> or <a href="#dom-storage-removeitem" title="dom-Storage-removeItem">removing</a> a key may change the order of the keys, but merely changing the value of an existing key must not.) If <var title="">n</var> is greater than or equal to the number of key/value pairs - in the object, then this method must return null.<p>The <span>supported property names</span> on a + in the object, then this method must return null.</p> + + <p>The <span>supported property names</span> on a <code><a href="#storage-0">Storage</a></code> object are the keys of each key/value pair - currently present in the list associated with the object.<p>The <dfn id="dom-storage-getitem" title="dom-Storage-getItem"><code>getItem(<var title="">key</var>)</code></dfn> method must return + currently present in the list associated with the object.</p> + + <p>The <dfn id="dom-storage-getitem" title="dom-Storage-getItem"><code>getItem(<var title="">key</var>)</code></dfn> method must return the current value associated with the given <var title="">key</var>. If the given <var title="">key</var> does not exist in the list associated with the object then this method must return null. + </p> + <p>The <dfn id="dom-storage-setitem" title="dom-Storage-setItem"><code>setItem(<var title="">key</var>, <var title="">value</var>)</code></dfn> method must first check if a key/value pair with the given <var title="">key</var> already exists in the list - associated with the object.<p>If it does not, then a new key/value pair must be added to the + associated with the object.</p> + + <p>If it does not, then a new key/value pair must be added to the list, with the given <var title="">key</var> and with its value set - to <var title="">value</var>.<p>If the given <var title="">key</var> <em>does</em> exist in the - list, then it must have its value updated to <var title="">value</var>.<p>If it couldn't set the new value, the method must throw an + to <var title="">value</var>.</p> + + <p>If the given <var title="">key</var> <em>does</em> exist in the + list, then it must have its value updated to <var title="">value</var>.</p> + + <p>If it couldn't set the new value, the method must throw an <code>QuotaExceededError</code> exception. (Setting could fail if, e.g., the user has disabled storage for the site, or if the quota - has been exceeded.)<p>The <dfn id="dom-storage-removeitem" title="dom-Storage-removeItem"><code>removeItem(<var title="">key</var>)</code></dfn> method must cause the key/value + has been exceeded.)</p> + + <p>The <dfn id="dom-storage-removeitem" title="dom-Storage-removeItem"><code>removeItem(<var title="">key</var>)</code></dfn> method must cause the key/value pair with the given <var title="">key</var> to be removed from the list associated with the object, if it exists. If no item with that - key exists, the method must do nothing.<p>The <code title="dom-Storage-setItem"><a href="#dom-storage-setitem">setItem()</a></code> and <code title="dom-Storage-removeItem"><a href="#dom-storage-removeitem">removeItem()</a></code> methods must be + key exists, the method must do nothing.</p> + + <p>The <code title="dom-Storage-setItem"><a href="#dom-storage-setitem">setItem()</a></code> and <code title="dom-Storage-removeItem"><a href="#dom-storage-removeitem">removeItem()</a></code> methods must be atomic with respect to failure. In the case of failure, the method does nothing. That is, changes to the data storage area must either be successful, or the data storage area must not be changed at - all.<p>The <dfn id="dom-storage-clear" title="dom-Storage-clear"><code>clear()</code></dfn> + all.</p> + + <p>The <dfn id="dom-storage-clear" title="dom-Storage-clear"><code>clear()</code></dfn> method must atomically cause the list associated with the object to be emptied of all key/value pairs, if there are any. If there are - none, then the method must do nothing.<p class="note">When the <code title="dom-Storage-setItem"><a href="#dom-storage-setitem">setItem()</a></code>, <code title="dom-Storage-removeItem"><a href="#dom-storage-removeitem">removeItem()</a></code>, and <code title="dom-Storage-clear"><a href="#dom-storage-clear">clear()</a></code> methods are invoked, events + none, then the method must do nothing.</p> + + <p class="note">When the <code title="dom-Storage-setItem"><a href="#dom-storage-setitem">setItem()</a></code>, <code title="dom-Storage-removeItem"><a href="#dom-storage-removeitem">removeItem()</a></code>, and <code title="dom-Storage-clear"><a href="#dom-storage-clear">clear()</a></code> methods are invoked, events are fired on other <code>Document</code> objects that can access the newly stored or removed data, as defined in the sections on the - <code title="dom-sessionStorage"><a href="#dom-sessionstorage">sessionStorage</a></code> and <code title="dom-localStorage"><a href="#dom-localstorage">localStorage</a></code> attributes.</p><p class="note">This specification does not require that the above + <code title="dom-sessionStorage"><a href="#dom-sessionstorage">sessionStorage</a></code> and <code title="dom-localStorage"><a href="#dom-localstorage">localStorage</a></code> attributes.</p> + + <p class="note">This specification does not require that the above methods wait until the data has been physically written to disk. Only consistency in what different scripts accessing the same - underlying list of key/value pairs see is required.<h3 id="the-sessionstorage-attribute"><span class="secno">4.2 </span>The <code title="dom-sessionStorage"><a href="#dom-sessionstorage">sessionStorage</a></code> attribute</h3><pre class="idl">[NoInterfaceObject] + underlying list of key/value pairs see is required.</p> + + + <h3 id="the-sessionstorage-attribute"><span class="secno">4.2 </span>The <code title="dom-sessionStorage"><a href="#dom-sessionstorage">sessionStorage</a></code> attribute</h3> + + <pre class="idl">[NoInterfaceObject] interface <dfn id="windowsessionstorage">WindowSessionStorage</dfn> { readonly attribute <a href="#storage-0">Storage</a> <a href="#dom-sessionstorage" title="dom-sessionStorage">sessionStorage</a>; }; -<span>Window</span> implements <a href="#windowsessionstorage">WindowSessionStorage</a>;</pre><p>The <dfn id="dom-sessionstorage" title="dom-sessionStorage"><code>sessionStorage</code></dfn> +<span>Window</span> implements <a href="#windowsessionstorage">WindowSessionStorage</a>;</pre> + + <p>The <dfn id="dom-sessionstorage" title="dom-sessionStorage"><code>sessionStorage</code></dfn> attribute represents the set of storage areas specific to the - current <span>top-level browsing context</span>.<p>Each <span>top-level browsing context</span> has a unique set of - session storage areas, one for each <span>origin</span>.<p>User agents should not expire data from a browsing context's + current <span>top-level browsing context</span>.</p> + + <p>Each <span>top-level browsing context</span> has a unique set of + session storage areas, one for each <span>origin</span>.</p> + + <p>User agents should not expire data from a browsing context's session storage areas, but may do so when the user requests that such data be deleted, or when the UA detects that it has limited storage space, or for security reasons. User agents should always @@ -547,9 +710,13 @@ therefore permanently inaccessible to the user) the data stored in its session storage areas can be discarded with it, as the API described in this specification provides no way for that data to - ever be subsequently retrieved.<p class="note">The lifetime of a browsing context can be unrelated + ever be subsequently retrieved.</p> + + <p class="note">The lifetime of a browsing context can be unrelated to the lifetime of the actual user agent process itself, as the user - agent may support resuming sessions after a restart.<p>When a new <code>Document</code> is created in a <span>browsing + agent may support resuming sessions after a restart.</p> + + <p>When a new <code>Document</code> is created in a <span>browsing context</span> which has a <span>top-level browsing context</span>, the user agent must check to see if that <span>top-level browsing context</span> has a session storage area for that document's @@ -561,15 +728,21 @@ storage area does not change during the lifetime of a <code>Document</code>, even in the case of a <span>nested browsing context</span> (e.g. in an <code>iframe</code>) being moved to - another <span>parent browsing context</span>.<p>The <code title="dom-sessionStorage"><a href="#dom-sessionstorage">sessionStorage</a></code> + another <span>parent browsing context</span>.</p> + + <p>The <code title="dom-sessionStorage"><a href="#dom-sessionstorage">sessionStorage</a></code> attribute must return a <code><a href="#storage-0">Storage</a></code> object associated with the <code>Document</code>'s assigned session storage area, if any, or null if there isn't one. Each <code>Document</code> object must - have a separate object for its <code>Window</code>'s <code title="dom-sessionStorage"><a href="#dom-sessionstorage">sessionStorage</a></code> attribute.<p>When a new <span>top-level browsing context</span> is created by + have a separate object for its <code>Window</code>'s <code title="dom-sessionStorage"><a href="#dom-sessionstorage">sessionStorage</a></code> attribute.</p> + + <p>When a new <span>top-level browsing context</span> is created by cloning an existing <span>browsing context</span>, the new browsing context must start with the same session storage areas as the original, but the two sets must from that point on be considered - separate, not affecting each other in any way.<p>When a new <span>top-level browsing context</span> is created by + separate, not affecting each other in any way.</p> + + <p>When a new <span>top-level browsing context</span> is created by a <span title="concept-script">script</span> in an existing <span>browsing context</span>, or by the user following a link in an existing browsing context, or in some other way related to a @@ -577,26 +750,43 @@ <span>origin</span> of that <code>Document</code> must be copied into the new browsing context when it is created. From that point on, however, the two session storage areas must be considered - separate, not affecting each other in any way.<p id="sessionStorageEvent">When the <code title="dom-Storage-setItem"><a href="#dom-storage-setitem">setItem()</a></code>, <code title="dom-Storage-removeItem"><a href="#dom-storage-removeitem">removeItem()</a></code>, and <code title="dom-Storage-clear"><a href="#dom-storage-clear">clear()</a></code> methods are called on a + separate, not affecting each other in any way.</p> + + <p id="sessionStorageEvent">When the <code title="dom-Storage-setItem"><a href="#dom-storage-setitem">setItem()</a></code>, <code title="dom-Storage-removeItem"><a href="#dom-storage-removeitem">removeItem()</a></code>, and <code title="dom-Storage-clear"><a href="#dom-storage-clear">clear()</a></code> methods are called on a <code><a href="#storage-0">Storage</a></code> object <var title="">x</var> that is associated with a session storage area, if the methods did something, then in every <code>Document</code> object whose <code>Window</code> object's <code title="dom-sessionStorage"><a href="#dom-sessionstorage">sessionStorage</a></code> attribute's <code><a href="#storage-0">Storage</a></code> object is associated with the same - storage area, other than <var title="">x</var>, a <code title="event-storage"><a href="#event-storage">storage</a></code> event must be fired, as <a href="#event-storage" title="event-storage">described below</a>.<h3 id="the-localstorage-attribute"><span class="secno">4.3 </span>The <code title="dom-localStorage"><a href="#dom-localstorage">localStorage</a></code> attribute</h3><pre class="idl">[NoInterfaceObject] + storage area, other than <var title="">x</var>, a <code title="event-storage"><a href="#event-storage">storage</a></code> event must be fired, as <a href="#event-storage" title="event-storage">described below</a>.</p> + + + <h3 id="the-localstorage-attribute"><span class="secno">4.3 </span>The <code title="dom-localStorage"><a href="#dom-localstorage">localStorage</a></code> attribute</h3> + + <pre class="idl">[NoInterfaceObject] interface <dfn id="windowlocalstorage">WindowLocalStorage</dfn> { readonly attribute <a href="#storage-0">Storage</a> <a href="#dom-localstorage" title="dom-localStorage">localStorage</a>; }; -<span>Window</span> implements <a href="#windowlocalstorage">WindowLocalStorage</a>;</pre><p>The <dfn id="dom-localstorage" title="dom-localStorage"><code>localStorage</code></dfn> +<span>Window</span> implements <a href="#windowlocalstorage">WindowLocalStorage</a>;</pre> + + <p>The <dfn id="dom-localstorage" title="dom-localStorage"><code>localStorage</code></dfn> object provides a <code><a href="#storage-0">Storage</a></code> object for an - <span>origin</span>.<p>User agents must have a set of local storage areas, one for each - <span>origin</span>.<p>User agents should expire data from the local storage areas only + <span>origin</span>.</p> + + <p>User agents must have a set of local storage areas, one for each + <span>origin</span>.</p> + + <p>User agents should expire data from the local storage areas only for security reasons or when requested to do so by the user. User agents should always avoid deleting data while a script that could - access that data is running.<p>When the <code title="dom-localStorage"><a href="#dom-localstorage">localStorage</a></code> + access that data is running.</p> + + <p>When the <code title="dom-localStorage"><a href="#dom-localstorage">localStorage</a></code> attribute is accessed, the user agent must run the following steps, which are known as the <dfn id="storage-object-initialization-steps"><code>Storage</code> object - initialization steps</dfn>:</p><ol><li><p>The user agent may throw a <code>SecurityError</code> + initialization steps</dfn>:</p> + + <ol><li><p>The user agent may throw a <code>SecurityError</code> exception instead of returning a <code><a href="#storage-0">Storage</a></code> object if the request violates a policy decision (e.g. if the user agent is configured to not allow the page to persist data).</li> @@ -621,52 +811,86 @@ every <code>Document</code> object whose <code>Window</code> object's <code title="dom-localStorage"><a href="#dom-localstorage">localStorage</a></code> attribute's <code><a href="#storage-0">Storage</a></code> object is associated with the same - storage area, other than <var title="">x</var>, a <code title="event-storage"><a href="#event-storage">storage</a></code> event must be fired, as <a href="#event-storage" title="event-storage">described below</a>.<p id="localStorageMutex">Whenever the properties of a <code title="dom-localStorage"><a href="#dom-localstorage">localStorage</a></code> attribute's + storage area, other than <var title="">x</var>, a <code title="event-storage"><a href="#event-storage">storage</a></code> event must be fired, as <a href="#event-storage" title="event-storage">described below</a>.</p> + + <p id="localStorageMutex">Whenever the properties of a <code title="dom-localStorage"><a href="#dom-localstorage">localStorage</a></code> attribute's <code><a href="#storage-0">Storage</a></code> object are to be examined, returned, set, or deleted, whether as part of a direct property access, when checking for the presence of a property, during property enumeration, when determining the number of properties present, or as part of the execution of any of the methods or attributes defined on the <code><a href="#storage-0">Storage</a></code> interface, the user agent must first - <span>obtain the storage mutex</span>.</p><h4 id="security-localStorage"><span class="secno">4.3.1 </span>Security</h4><p>User agents must throw a <code>SecurityError</code> exception + <span>obtain the storage mutex</span>.</p> + + + + <h4 id="security-localStorage"><span class="secno">4.3.1 </span>Security</h4> + + <p>User agents must throw a <code>SecurityError</code> exception whenever any of the members of a <code><a href="#storage-0">Storage</a></code> object originally returned by the <code title="dom-localStorage"><a href="#dom-localstorage">localStorage</a></code> attribute are accessed by scripts whose <span>effective script origin</span> is not the <span title="same origin">same</span> as the <span>origin</span> of the <code>Document</code> of the <code>Window</code> object on which the <code title="dom-localStorage"><a href="#dom-localstorage">localStorage</a></code> attribute was - accessed.<p class="note">This means <code><a href="#storage-0">Storage</a></code> objects are neutered + accessed.</p> + + <p class="note">This means <code><a href="#storage-0">Storage</a></code> objects are neutered when the <code title="dom-document-domain">document.domain</code> - attribute is used.</p><h3 id="the-storage-event"><span class="secno">4.4 </span>The <code title="event-storage"><a href="#event-storage">storage</a></code> event</h3><p>The <dfn id="event-storage" title="event-storage"><code>storage</code></dfn> event + attribute is used.</p> + + + + + <h3 id="the-storage-event"><span class="secno">4.4 </span>The <code title="event-storage"><a href="#event-storage">storage</a></code> event</h3> + + <p>The <dfn id="event-storage" title="event-storage"><code>storage</code></dfn> event is fired when a storage area changes, as described in the previous two sections (<a href="#sessionStorageEvent">for session storage</a>, <a href="#localStorageEvent">for local - storage</a>).<p>When this happens, the user agent must <span>queue a task</span> + storage</a>).</p> + + <p>When this happens, the user agent must <span>queue a task</span> to fire an event with the name <code><a href="#storage-0">storage</a></code>, which does not bubble and is not cancelable, and which uses the <code><a href="#storageevent">StorageEvent</a></code> interface, at each <code>Window</code> object whose <code>Document</code> object has a <code><a href="#storage-0">Storage</a></code> - object that is affected.<p class="note">This includes <code>Document</code> objects that are + object that is affected.</p> + + <p class="note">This includes <code>Document</code> objects that are not <span>fully active</span>, but events fired on those are ignored by the <span>event loop</span> until the <code>Document</code> - becomes <span>fully active</span> again.<p>The <span>task source</span> for this task is the <span>DOM - manipulation task source</span>.<p>If the event is being fired due to an invocation of the <code title="dom-Storage-setItem"><a href="#dom-storage-setitem">setItem()</a></code> or <code title="dom-Storage-removeItem"><a href="#dom-storage-removeitem">removeItem()</a></code> methods, the + becomes <span>fully active</span> again.</p> + + <p>The <span>task source</span> for this task is the <span>DOM + manipulation task source</span>.</p> + + <p>If the event is being fired due to an invocation of the <code title="dom-Storage-setItem"><a href="#dom-storage-setitem">setItem()</a></code> or <code title="dom-Storage-removeItem"><a href="#dom-storage-removeitem">removeItem()</a></code> methods, the event must have its <code title="dom-StorageEvent-key"><a href="#dom-storageevent-key">key</a></code> attribute initialized to the name of the key in question, its <code title="dom-StorageEvent-oldValue"><a href="#dom-storageevent-oldvalue">oldValue</a></code> attribute initialized to the old value of the key in question, or null if the key is newly added, and its <code title="dom-StorageEvent-newValue"><a href="#dom-storageevent-newvalue">newValue</a></code> attribute initialized to the new value of the key in question, or null if the key was - removed.<p>Otherwise, if the event is being fired due to an invocation of + removed.</p> + + <p>Otherwise, if the event is being fired due to an invocation of the <code title="dom-Storage-clear"><a href="#dom-storage-clear">clear()</a></code> method, the event must have its <code title="dom-StorageEvent-key"><a href="#dom-storageevent-key">key</a></code>, <code title="dom-StorageEvent-oldValue"><a href="#dom-storageevent-oldvalue">oldValue</a></code>, and <code title="dom-StorageEvent-newValue"><a href="#dom-storageevent-newvalue">newValue</a></code> attributes - initialized to null.<p>In addition, the event must have its <code title="dom-StorageEvent-url"><a href="#dom-storageevent-url">url</a></code> attribute initialized to + initialized to null.</p> + + <p>In addition, the event must have its <code title="dom-StorageEvent-url"><a href="#dom-storageevent-url">url</a></code> attribute initialized to <span title="the document's address">the address of the document</span> whose <code><a href="#storage-0">Storage</a></code> object was affected; and its <code title="dom-StorageEvent-storageArea"><a href="#dom-storageevent-storagearea">storageArea</a></code> attribute initialized to the <code><a href="#storage-0">Storage</a></code> object from the <code>Window</code> object of the target <code>Document</code> that represents the same kind of <code><a href="#storage-0">Storage</a></code> area as was - affected (i.e. session or local).<h4 id="event-definition"><span class="secno">4.4.1 </span>Event definition</h4><pre class="idl">[Constructor(DOMString type, optional <a href="#storageeventinit">StorageEventInit</a> eventInitDict)] + affected (i.e. session or local).</p> + + + <h4 id="event-definition"><span class="secno">4.4.1 </span>Event definition</h4> + + <pre class="idl">[Constructor(DOMString type, optional <a href="#storageeventinit">StorageEventInit</a> eventInitDict)] interface <dfn id="storageevent">StorageEvent</dfn> : <span>Event</span> { readonly attribute DOMString <a href="#dom-storageevent-key" title="dom-StorageEvent-key">key</a>; readonly attribute DOMString? <a href="#dom-storageevent-oldvalue" title="dom-StorageEvent-oldValue">oldValue</a>; @@ -681,41 +905,81 @@ DOMString? newValue; DOMString url; <a href="#storage-0">Storage</a>? storageArea; -};</pre><p>The <dfn id="dom-storageevent-key" title="dom-StorageEvent-key"><code>key</code></dfn> +};</pre> + + <p>The <dfn id="dom-storageevent-key" title="dom-StorageEvent-key"><code>key</code></dfn> attribute must return the value it was initialized to. When the object is created, this attribute must be initialized to the empty - string. It represents the key being changed.<p>The <dfn id="dom-storageevent-oldvalue" title="dom-StorageEvent-oldValue"><code>oldValue</code></dfn> + string. It represents the key being changed.</p> + + <p>The <dfn id="dom-storageevent-oldvalue" title="dom-StorageEvent-oldValue"><code>oldValue</code></dfn> attribute must return the value it was initialized to. When the object is created, this attribute must be initialized to null. It - represents the old value of the key being changed.<p>The <dfn id="dom-storageevent-newvalue" title="dom-StorageEvent-newValue"><code>newValue</code></dfn> + represents the old value of the key being changed.</p> + + <p>The <dfn id="dom-storageevent-newvalue" title="dom-StorageEvent-newValue"><code>newValue</code></dfn> attribute must return the value it was initialized to. When the object is created, this attribute must be initialized to null. It - represents the new value of the key being changed.<p>The <dfn id="dom-storageevent-url" title="dom-StorageEvent-url"><code>url</code></dfn> + represents the new value of the key being changed.</p> + + <p>The <dfn id="dom-storageevent-url" title="dom-StorageEvent-url"><code>url</code></dfn> attribute must return the value it was initialized to. When the object is created, this attribute must be initialized to the empty string. It represents the address of the document whose key - changed.<p>The <dfn id="dom-storageevent-storagearea" title="dom-StorageEvent-storageArea"><code>storageArea</code></dfn> + changed.</p> + + <p>The <dfn id="dom-storageevent-storagearea" title="dom-StorageEvent-storageArea"><code>storageArea</code></dfn> attribute must return the value it was initialized to. When the object is created, this attribute must be initialized to null. It - represents the <code><a href="#storage-0">Storage</a></code> object that was affected.<h3 id="threads"><span class="secno">4.5 </span>Threads</h3><p>Because of <a href="#localStorageMutex">the use</a> of the + represents the <code><a href="#storage-0">Storage</a></code> object that was affected.</p> + + + + <h3 id="threads"><span class="secno">4.5 </span>Threads</h3> + + <p>Because of <a href="#localStorageMutex">the use</a> of the <span>storage mutex</span>, multiple browsing contexts will be able to access the local storage areas simultaneously in such a manner - that scripts cannot detect any concurrent script execution.<p>Thus, the <code title="dom-Storage-length"><a href="#dom-storage-length">length</a></code> + that scripts cannot detect any concurrent script execution.</p> + + <p>Thus, the <code title="dom-Storage-length"><a href="#dom-storage-length">length</a></code> attribute of a <code><a href="#storage-0">Storage</a></code> object, and the value of the various properties of that object, cannot change while a script is executing, other than in a way that is predictable by the script - itself.<h2 id="disk-space"><span class="secno">5 </span>Disk space</h2><p>User agents should limit the total amount of space allowed for - storage areas.<p>User agents should guard against sites storing data under the + itself.</p> + + + <h2 id="disk-space"><span class="secno">5 </span>Disk space</h2> + + <p>User agents should limit the total amount of space allowed for + storage areas.</p> + + <p>User agents should guard against sites storing data under the origins other affiliated sites, e.g. storing up to the limit in a1.example.com, a2.example.com, a3.example.com, etc, circumventing - the main example.com storage limit.<p>User agents may prompt the user when quotas are reached, allowing + the main example.com storage limit.</p> + + <p>User agents may prompt the user when quotas are reached, allowing the user to grant a site more space. This enables sites to store many user-created documents on the user's computer, for - instance.<p>User agents should allow users to see how much space each domain - is using.</p><p>A mostly arbitrary limit of five megabytes per + instance.</p> + + <p>User agents should allow users to see how much space each domain + is using.</p> + + + + <p>A mostly arbitrary limit of five megabytes per <span>origin</span> is recommended. Implementation feedback is welcome and will be used to update this suggestion in the - future.<h2 id="privacy"><span class="secno">6 </span>Privacy</h2><h3 id="user-tracking"><span class="secno">6.1 </span>User tracking</h3><p>A third-party advertiser (or any entity capable of getting + future.</p> + + + <h2 id="privacy"><span class="secno">6 </span>Privacy</h2> + + <h3 id="user-tracking"><span class="secno">6.1 </span>User tracking</h3> + + <p>A third-party advertiser (or any entity capable of getting content distributed to multiple sites) could use a unique identifier stored in its local storage area to track a user across multiple sessions, building a profile of the user's interests to allow for @@ -723,8 +987,12 @@ aware of the user's real identity (for example an e-commerce site that requires authenticated credentials), this could allow oppressive groups to target individuals with greater accuracy than - in a world with purely anonymous Web usage.<p>There are a number of techniques that can be used to mitigate the - risk of user tracking:<dl><dt>Blocking third-party storage</dt> + in a world with purely anonymous Web usage.</p> + + <p>There are a number of techniques that can be used to mitigate the + risk of user tracking:</p> + + <dl><dt>Blocking third-party storage</dt> <dd> <p>User agents may restrict access to the <code title="dom-localStorage"><a href="#dom-localstorage">localStorage</a></code> objects to scripts @@ -757,6 +1025,7 @@ data expiration.</p> + </dd> <dt>Treating persistent storage as cookies</dt> @@ -816,47 +1085,95 @@ identifying information (names, credit card numbers, addresses) obtained by the site. If a third party cooperates with multiple sites to obtain such information, a profile can still be - created.<p>However, user tracking is to some extent possible even with no + created.</p> + + <p>However, user tracking is to some extent possible even with no cooperation from the user agent whatsoever, for instance by using session identifiers in URLs, a technique already commonly used for innocuous purposes but easily repurposed for user tracking (even retroactively). This information can then be shared with other sites, using using visitors' IP addresses and other user-specific data (e.g. user-agent headers and configuration settings) to combine - separate sessions into coherent user profiles.<h3 id="sensitivity-of-data"><span class="secno">6.2 </span>Sensitivity of data</h3><p>User agents should treat persistently stored data as potentially + separate sessions into coherent user profiles.</p> + + + <h3 id="sensitivity-of-data"><span class="secno">6.2 </span>Sensitivity of data</h3> + + <p>User agents should treat persistently stored data as potentially sensitive; it's quite possible for e-mails, calendar appointments, health records, or other confidential documents to be stored in this - mechanism.<p>To this end, user agents should ensure that when deleting data, - it is promptly deleted from the underlying storage.</p><h2 id="security-storage"><span class="secno">7 </span>Security</h2><h3 id="dns-spoofing-attacks"><span class="secno">7.1 </span>DNS spoofing attacks</h3><p>Because of the potential for DNS spoofing attacks, one cannot + mechanism.</p> + + <p>To this end, user agents should ensure that when deleting data, + it is promptly deleted from the underlying storage.</p> + + + + <h2 id="security-storage"><span class="secno">7 </span>Security</h2> + + <h3 id="dns-spoofing-attacks"><span class="secno">7.1 </span>DNS spoofing attacks</h3> + + <p>Because of the potential for DNS spoofing attacks, one cannot guarantee that a host claiming to be in a certain domain really is from that domain. To mitigate this, pages can use TLS. Pages using TLS can be sure that only the user, software working on behalf of the user, and other pages using TLS that have certificates identifying them as being from the same domain, can access their - storage areas.<h3 id="cross-directory-attacks"><span class="secno">7.2 </span>Cross-directory attacks</h3><p>Different authors sharing one host name, for example users + storage areas.</p> + + + <h3 id="cross-directory-attacks"><span class="secno">7.2 </span>Cross-directory attacks</h3> + + <p>Different authors sharing one host name, for example users hosting content on <code>geocities.com</code>, all share one local storage object. There is no feature to restrict the access by pathname. Authors on shared hosts are therefore recommended to avoid using these features, as it would be trivial for other authors to - read the data and overwrite it.<p class="note">Even if a path-restriction feature was made + read the data and overwrite it.</p> + + <p class="note">Even if a path-restriction feature was made available, the usual DOM scripting security model would make it trivial to bypass this protection and access the data from any - path.<h3 id="implementation-risks"><span class="secno">7.3 </span>Implementation risks</h3><p>The two primary risks when implementing these persistent storage + path.</p> + + + <h3 id="implementation-risks"><span class="secno">7.3 </span>Implementation risks</h3> + + <p>The two primary risks when implementing these persistent storage features are letting hostile sites read information from other domains, and letting hostile sites write information that is then - read from other domains.<p>Letting third-party sites read data that is not supposed to be + read from other domains.</p> + + <p>Letting third-party sites read data that is not supposed to be read from their domain causes <em>information leakage</em>, For example, a user's shopping wishlist on one domain could be used by another domain for targeted advertising; or a user's work-in-progress confidential documents stored by a word-processing - site could be examined by the site of a competing company.<p>Letting third-party sites write data to the persistent storage of + site could be examined by the site of a competing company.</p> + + <p>Letting third-party sites write data to the persistent storage of other domains can result in <em>information spoofing</em>, which is equally dangerous. For example, a hostile site could add items to a user's wishlist; or a hostile site could set a user's session identifier to a known ID that the hostile site can then use to track - the user's actions on the victim site.<p>Thus, strictly following the <span>origin</span> model described - in this specification is important for user security.</p><h2 class="no-num" id="references">References</h2><p>All references are normative unless marked "Non-normative".</p><dl><dt id="refsCOOKIES">[COOKIES]</dt> - <dd><cite><a href="http://tools.ietf.org/html/rfc6265">HTTP State Management Mechanism</a></cite>, A. Barth. IETF.</dd> + the user's actions on the victim site.</p> + + <p>Thus, strictly following the <span>origin</span> model described + in this specification is important for user security.</p> + + + + + + <h2 class="no-num" id="references">References</h2> + + <p>All references are normative unless marked "Non-normative".</p> + + + + <dl><dt id="refsCOOKIES">[COOKIES]</dt> + + <dd><cite><a href="http://tools.ietf.org/html/rfc6265">HTTP State Management Mechanism</a></cite>, A. Barth. IETF.</dd> <dt id="refsDOMCORE">[DOMCORE]</dt> <dd><cite><a href="http://dvcs.w3.org/hg/domcore/raw-file/tip/Overview.html">Web DOM Core</a></cite>, A. van Kesteren. W3C.</dd> @@ -875,8 +1192,13 @@ RFCs to Indicate Requirement Levels</a></cite>, S. Bradner. IETF.</dd> <dt id="refsWEBIDL">[WEBIDL]</dt> - <dd><cite><a href="http://dev.w3.org/2006/webapi/WebIDL/">Web + + <dd><cite><a href="http://dev.w3.org/2006/webapi/WebIDL/">Web IDL</a></cite>, C. McCormack. W3C.</dd> - </dl><h2 class="no-num" id="acknowledgements">Acknowledgements</h2><p>For a full list of acknowledgements, please see the HTML - specification. <a href="#refsHTML">[HTML]</a> + </dl><h2 class="no-num" id="acknowledgements">Acknowledgements</h2> + + <p>For a full list of acknowledgements, please see the HTML + specification. <a href="#refsHTML">[HTML]</a></p> + +
Received on Tuesday, 13 March 2012 19:35:07 UTC