As a security precaution, we have turned on the setting "Require API key authentication for API requests" for everyone. If this has broken something, please contact
Last Comment Bug 506692 - present localStorage as cookie in the same UI
: present localStorage as cookie in the same UI
Status: NEW
: testcase, uiwanted
Product: Core
Classification: Components
Component: DOM (show other bugs)
: Trunk
: All All
: -- enhancement with 22 votes (vote)
: ---
Assigned To: Nobody; OK to take it and work on it
: Andrew Overholt [:overholt]
Depends on:
Blocks: 449981 599724
  Show dependency treegraph
Reported: 2009-07-27 10:58 PDT by jonathan chetwynd
Modified: 2016-08-18 04:16 PDT (History)
25 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Description User image jonathan chetwynd 2009-07-27 10:58:54 PDT
mozilla recently implemented web storage:
this specification states:
User agents should present the persistent storage feature to the user in a way
that does not distinguish them from HTTP session cookies.

however there is no 'cookie' associated with the url given when searching in
preferences/show cookies

a possibly related cookie in xml bug 506639
Comment 1 User image jonathan chetwynd 2009-07-27 11:01:06 PDT
description should read:
searching in preferences/privacy/remove individual cookies
Comment 2 User image timeless 2009-07-27 16:12:20 PDT
i'm not sure i agree. and note that networking:cookies is for the underlying transport, not for any user interface (which lives in Firefox, or Camino, or SeaMonkey, or ...)

my camino privacy pane has a show cookies button which opens a sheet which has:

Website /\| Name   | Path   | Secure | Expires      | Value
with each row containing a cookie including its entire value

Assuming that localStorage can be mb's of data, i really would hate to have that in the value field.

My Firefox Privacy pane has a "remove individual cookies" link which opens a window with a tree of domains

Site                   | Cookie Name
v           |         | TZ

selecting a cookie in the tree shows a bunch of rows of information:

Name: TZ
Content: ...
Domain: ...
Path: ...
Send for: ...
Expires: ...

again, the whole value is shown. and again, showing mb's of data here is unlikely to make me happy.

Now, I said that networking:cookie is the wrong place for this bug, similarly dom:* is the wrong place, but the implementation of localStore lives somewhere in dom, and I want people to think about it before they send it to the various ui's to deal with. (and perhaps they already have a bug for this, since they should, as they added a privacy thing and that should have come up during their review process.)
Comment 3 User image Honza Bambas (:mayhemer) 2009-09-21 10:36:53 PDT
johnatan: we are not presenting the localStorage content to the user via the cookies UI, at least as I know the Firefox code. localStorage (globalStorage) is treated as cookies because we share quota for the storage data and cookies along for a domain and we delete the storage data along with the cookies for a domain on a user request. This is how I explain my self the spec.

Unfortunatelly, the same happens for localStorage (globalStorage) data when a domain is marked by the user as an offline web application. I filled bug 499654 for this as I don't agree with the current behavior.

If you want to change the UI then I have no opinion. However, localStorage will not be used only for cookies-like data types, I agree with timeless it may contain MBs of data, mainly the offline apps as this is the only way of local data storage at the present (we don't support any structured storage).
Comment 4 User image Jim Brock 2010-06-11 07:22:44 PDT
Does this mean that a Firefox user cannot see and control html5 local stored data?

As an example, many ad networks may now use local stored data for user tracking. So even though I can delete the ad network cookie, the local stored information will still be present?

As you may know, in Chrome local storage is presented in the same context as cookies, with the same ability for the user to delete and control.

Thank you
Comment 5 User image Honza Bambas (:mayhemer) 2010-09-26 06:02:39 PDT
Please ignore my comment 3, I had setup a pref that changed the standard behavior.

To explain:
- localStorage can be used for storing "localStorage cookies" that should be in all places handled as http cookies (we have flaws here)
- localStorage can be used as storage for offline web applications ; those are web sites that are enabled by user to behave as offline applications ; these stored values must not be treated as "localStorage cookies" i.e. not displayed in the cookies UI and not deleted along with cookies (this all is already implemented in the current Gecko)
Comment 6 User image Bastiaan Jacques 2011-01-30 02:38:20 PST
(In reply to comment #5)
> - localStorage can be used for storing "localStorage cookies" that should be in
> all places handled as http cookies (we have flaws here)
> - localStorage can be used as storage for offline web applications ;

How do you know whether a given localStorage object is a cookie or an offline "application storage"?
Comment 7 User image Honza Bambas (:mayhemer) 2011-01-31 09:33:59 PST
(In reply to comment #6)
> How do you know whether a given localStorage object is a cookie or an offline
> "application storage"?

You can give a domain an "offline application permission".  Then localStorage accessed by such a domain (i.e. by all origins that use that domain) behaves as an offline application storage.

To turn a web page to an "offline application", let it define the "manifest" attribute in the <html> opening tag.  You will find more about defining manifests in the HTML5 spec.

Note You need to log in before you can comment on or make changes to this bug.