Storage Quota Usage Details

[jarryd999]

Góðan dag TAG！

I'm requesting a TAG review of:

• Name: Storage Quota Usage Details
• Specification URL: Add UsageDetails dictionary whatwg/storage#69
• Explainer, Requirements Doc, or Example code: https://jarryd999.github.io/quota-usage-details/
• Tests: https://github.com/web-platform-tests/wpt/tree/master/storage (estimate-usage-details*)
• Primary contacts: @jarryd999

Further details (optional):

• Relevant time constraints or deadlines: We would really appreciate feedback by May 20, 2019
• I have read and filled out the Self-Review Questionnare on Security and Privacy. The assessment is here.
• I have reviewed the TAG's API Design Principles

You should also know that...

[please tell us anything you think is relevant to this review]

We'd prefer the TAG provide feedback as (please select one):

• open issues in our GitHub repo for each point of feedback
• open a single issue in our GitHub repo for the entire review
• leave review feedback as a comment in this issue and @-notify @jarryd999

[slightlyoff]

Hey @jarryd999; looks like this isn't scheduled for next week's F2F meeting and is unlikely to get discussion by the requested date as a result.

/cc @alice

[alice]

Apologies for missing this.

We're going through some "growing pains" with our process and (somewhat of a good problem) the number of reviews coming in from Blink; we're hoping to spend some time at the f2f reviewing our process and looking for ways to provide more timely feedback. Not that this helps you in this instance; just that you're certainly not alone in not getting timely feedback from us, and we're acutely aware of the issue.

Meanwhile, I believe we will be triaging issues for review at the f2f, so there is still a chance we'll get to it this week at least.

[lknik]

Are you sure you considered all the privacy aspects? It seems this creates a bunch of identifiers with potentially fairly sizable variability in terms of their possible values.

[pwnall]

@lknik I'll try to expand on the response to question 3.5 in the security and privacy questionnaire. I don't think we're exposing any new information to origins.

Angle 1: Per-system quota usage (IndexedDB vs Cache Storage vs AppCache etc.) is a function of browser implementation (exposed from the user agent) and of all calls made by an origin to the respective storage APIs. The numbers summarize information that the origin already has.

Angle 2: An origin that has data stored on the client (non-zero quota usage) can store a unique identifier for the user. Instead of using this new API, the origin can simply read a user ID from IndexedDB, or from Cache Storage etc.

For both angles, it's worth noting that when a user wishes to be forgotten by a site and clears the site's data, all client-side storage will be wiped, and the quota details API will report zero usage from all subsystems.

Does this help answer your concerns?

[lknik]

For sure it helps. Do we want to have this documented for clarity? For example in Security/privacy considerations?

[jarryd999]

@lknik I have added this into the Security/Privacy questionnaire as well as the explainer.