Open Bug 1652461 Opened 4 years ago Updated 3 years ago

Introduce DirectoryLock::ReportCorruption to trigger clearing of the storage bucket via nsIClearDataService on dynamic corruption

Categories

(Core :: Storage: Quota Manager, enhancement)

Product:
Core
Component:
Storage: Quota Manager
Type:
enhancement

Tracking

()

People

(Reporter: asuth, Unassigned)

References

(Depends on 1 open bug)

Details

In the event of corruption in an origin, spec and consensus among implementations is a storage bucket.

In discussion in the past we determined that the DirectoryLock is the appropriate place for a client to report encountering corruption, as opposed to reporting it via nsIQuotaManagerService or a new interface on quota::Client instances. Because all access that might discover corruption must already be holding a DirectoryLock and the DirectoryLock identifies the client and the bucket, as well as having direct access to the underlying data structures, this does seem like a good choice.

This came up most recently in https://bugzilla.mozilla.org/show_bug.cgi?id=1644780#c20 but is a meta problem.

This would of course want telemetry.

And given that I believe we're on board with https://github.com/wanderview/storage-corruption-reporting/blob/master/explainer.md we likely want to plan to log that we cleared the origin in QMv4 metadata for the origin.

Note that:

  1. Clearing should involve nsIClearDataService for completeness/consistency rather than be strictly internal to QuotaManager.
  2. We should consider whether special handling is appropriate for LocalStorage (NextGen). If LocalStorage is corrupt, we absolutely need to clear it, but for legacy and practical reasons, it might make sense to treat LocalStorage similar to cookies (in that it can be used for login persistence that's orthogonal to richer storage).
    • Probably the right course of action is to clear LocalStorage but to make sure that our telemetry indicates the source of the corruption. If we're seeing disproportionately higher rates of corruption from storage other than LocalStorage which results in clearing LocalStorage, we would want to revisit as it's more likely for the loss of LocalStorage to be visible to users.
    • The motivating assumption is that some sites, for example chat.mozilla.org, store login credentials in LocalStorage. Because we limit cookies set via document.cookie to a maximum of 7 days of storage (because of tracking concerns), this has potentially shifted the equilibrium of storage for cases like this from cookies (which would not be cleared per the storage spec currently) to using LocalStorage more.
See Also: → 1644780
See Also: → 1694935

Bug 1694935 should have handled the case of database corruption being detected at initialization time, so this should likely now be more about dynamically detected corruption, which likely depends on bug 1125157 being addressed.

Depends on: 1125157
Summary: Introduce DirectoryLock::ReportCorruption to trigger clearing of the storage bucket via nsIClearDataService → Introduce DirectoryLock::ReportCorruption to trigger clearing of the storage bucket via nsIClearDataService on dynamic corruption
You need to log in before you can comment on or make changes to this bug.