Storage Quota Usage Details #365
Comments
|
Hey @jarryd999; looks like this isn't scheduled for next week's F2F meeting and is unlikely to get discussion by the requested date as a result. /cc @alice |
|
Apologies for missing this. We're going through some "growing pains" with our process and (somewhat of a good problem) the number of reviews coming in from Blink; we're hoping to spend some time at the f2f reviewing our process and looking for ways to provide more timely feedback. Not that this helps you in this instance; just that you're certainly not alone in not getting timely feedback from us, and we're acutely aware of the issue. Meanwhile, I believe we will be triaging issues for review at the f2f, so there is still a chance we'll get to it this week at least. |
|
Are you sure you considered all the privacy aspects? It seems this creates a bunch of identifiers with potentially fairly sizable variability in terms of their possible values. |
ylafon
added
Review type: small delta
Venue: WHATWG
Progress: unreviewed
and removed
Progress: untriaged
labels
|
@lknik I'll try to expand on the response to question 3.5 in the security and privacy questionnaire. I don't think we're exposing any new information to origins. Angle 1: Per-system quota usage (IndexedDB vs Cache Storage vs AppCache etc.) is a function of browser implementation (exposed from the user agent) and of all calls made by an origin to the respective storage APIs. The numbers summarize information that the origin already has. Angle 2: An origin that has data stored on the client (non-zero quota usage) can store a unique identifier for the user. Instead of using this new API, the origin can simply read a user ID from IndexedDB, or from Cache Storage etc. For both angles, it's worth noting that when a user wishes to be forgotten by a site and clears the site's data, all client-side storage will be wiped, and the quota details API will report zero usage from all subsystems. Does this help answer your concerns? |
|
For sure it helps. Do we want to have this documented for clarity? For example in Security/privacy considerations? |
|
@lknik I have added this into the Security/Privacy questionnaire as well as the explainer. |
|
Thank you for your feedback! We are shipping the Storage Quota Usage Details API in Chrome 75. |
|
So this API reinforces what is possible with current APIs, good to know ;) |
|
Hello, Just to let you know that this API is being used to detect incognito mode in browsers https://bugs.chromium.org/p/chromium/issues/detail?id=959839 |
|
@hober and I are looking at this during a breakout at the TAG face-to-face meeting. So from a quick read through the explainer I think this largely seems reasonable. I'm fine with the decision taken regarding the dictionary, although I'm a little skeptical of one of the arguments put forward:
I'd understand saying it's harder to measure, but I'm pretty skeptical of the claim that it's impossible. I think it would require changing the sort of instrumentation being done, but I'd think it would still be possible. That said, I think the choice of having only systems used be in the dictionary is probably good -- also because one advantage of it was missing, which is that it means that adding storage systems doesn't risk breaking web content by adding entries to these dictionaries. It doesn't seem like the mechanism used to detect incognito mode doesn't relate to the |
|
I think we're fine with closing this issue. The Thanks for requesting TAG review, and sorry for the delay getting back to you. |
dbaron
added
Resolution: satisfied
and others
Góðan dag TAG!
I'm requesting a TAG review of:
Further details (optional):
You should also know that...
[please tell us anything you think is relevant to this review]
We'd prefer the TAG provide feedback as (please select one):
The text was updated successfully, but these errors were encountered: