mozilla recently implemented web storage:
this specification states:
User agents should present the persistent storage feature to the user in a way
that does not distinguish them from HTTP session cookies.
however there is no 'cookie' associated with the url given when searching in
a possibly related cookie in xml bug 506639
description should read:
searching in preferences/privacy/remove individual cookies
i'm not sure i agree. and note that networking:cookies is for the underlying transport, not for any user interface (which lives in Firefox, or Camino, or SeaMonkey, or ...)
my camino privacy pane has a show cookies button which opens a sheet which has:
Website /\| Name | Path | Secure | Expires | Value
with each row containing a cookie including its entire value
Assuming that localStorage can be mb's of data, i really would hate to have that in the value field.
My Firefox Privacy pane has a "remove individual cookies" link which opens a window with a tree of domains
Site | Cookie Name
v google.com |
google.com | TZ
selecting a cookie in the tree shows a bunch of rows of information:
Send for: ...
again, the whole value is shown. and again, showing mb's of data here is unlikely to make me happy.
Now, I said that networking:cookie is the wrong place for this bug, similarly dom:* is the wrong place, but the implementation of localStore lives somewhere in dom, and I want people to think about it before they send it to the various ui's to deal with. (and perhaps they already have a bug for this, since they should, as they added a privacy thing and that should have come up during their review process.)
johnatan: we are not presenting the localStorage content to the user via the cookies UI, at least as I know the Firefox code. localStorage (globalStorage) is treated as cookies because we share quota for the storage data and cookies along for a domain and we delete the storage data along with the cookies for a domain on a user request. This is how I explain my self the spec.
Unfortunatelly, the same happens for localStorage (globalStorage) data when a domain is marked by the user as an offline web application. I filled bug 499654 for this as I don't agree with the current behavior.
If you want to change the UI then I have no opinion. However, localStorage will not be used only for cookies-like data types, I agree with timeless it may contain MBs of data, mainly the offline apps as this is the only way of local data storage at the present (we don't support any structured storage).
Does this mean that a Firefox user cannot see and control html5 local stored data?
As an example, many ad networks may now use local stored data for user tracking. So even though I can delete the ad network cookie, the local stored information will still be present?
As you may know, in Chrome local storage is presented in the same context as cookies, with the same ability for the user to delete and control.
Please ignore my comment 3, I had setup a pref that changed the standard behavior.
- localStorage can be used for storing "localStorage cookies" that should be in all places handled as http cookies (we have flaws here)
- localStorage can be used as storage for offline web applications ; those are web sites that are enabled by user to behave as offline applications ; these stored values must not be treated as "localStorage cookies" i.e. not displayed in the cookies UI and not deleted along with cookies (this all is already implemented in the current Gecko)
(In reply to comment #5)
> - localStorage can be used for storing "localStorage cookies" that should be in
> all places handled as http cookies (we have flaws here)
> - localStorage can be used as storage for offline web applications ;
How do you know whether a given localStorage object is a cookie or an offline "application storage"?
(In reply to comment #6)
> How do you know whether a given localStorage object is a cookie or an offline
> "application storage"?
You can give a domain an "offline application permission". Then localStorage accessed by such a domain (i.e. by all origins that use that domain) behaves as an offline application storage.
To turn a web page to an "offline application", let it define the "manifest" attribute in the <html> opening tag. You will find more about defining manifests in the HTML5 spec.