Consider allowing offline app storage without prompting user?

RESOLVED DUPLICATE of bug 648064

Status

()

defect
RESOLVED DUPLICATE of bug 648064
8 years ago
7 years ago

People

(Reporter: Dolske, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

8 years ago
Margaret and Boriss are designing UI for the new about:permissions page, and asking about this prompt. I've also seen it occur recently on http://chrome.angrybirds.com (just load the page). You get a prompt that reads:

  This website (site.com) is asking to store data on your computer for
  offline use. [Allow] [Never for this site] [Not now]

Other similar features seem to automatically allow such things up to a quota, or treat it as a cookie and allow if cookies are ok. Bug 394392 added this UI, but I don't see any discussion there about making making this less opt-in. Put another way, _I_ don't understand the significance of why Firefox asks me this, or the ramifications of allowing it. So if it's a "whatever" prompt we should try to get rid of it, and if it's not it's not carrying a very effective warning.

So, first step here is to understand what the risks are. Obviously there's disk usage (ie, how much should the site be allowed to store). And, I'll guess, the potential for tracking by using stored data as a cookie? (Is it much different than regular cached data?)
(Reporter)

Comment 1

8 years ago
Forgot to note: this prompt can be triggered, sadly, by just:

  data:text/html,<html manifest>
We should certainly ensure that we only prompt if the page is actually asking us to store data in a "sensitive" way on the users filesystem. I don't know if the markup in comment 1 does that or not. But that seems like a separate bug than the issue in comment 0 and in the summary. So please lets discuss that elsewhere.

So if we don't have the prompt, we're effectively giving the site unlimited storage. This because it's very easy to register additional domains and store stuff using those.

The other issue is that I believe that accepting offline app storage modifies to some extent how navigating to that domain behaves. This part is communicated very poorly in prompt of course. I'm not really sure about the details here and I don't want to guess at it, but it something we should get an understanding of before we remove the prompt.

Another thing is that I think we'll only want to remove the prompt if we feel free to clear out the stored data at any point. We *didn't* feel free to do that for indexedDB, and that was a major reason we added a prompt to that (incidently, we should merge the prompt between app storage and indexedDB storage, but that's again a different bug).

Comment 3

8 years ago
Related issue here:
https://bugzilla.mozilla.org/show_bug.cgi?id=681545

Interesting related discussion for Chromium (Google Chrome):
http://code.google.com/p/chromium/issues/detail?id=61676

Current storage limits across many different browsers here:
http://dev-test.nemikor.com/web-storage/support-test/
These look like the same bugs, feel free to comment if you disagree.
I'm trying to organize the app cache prompt bugs so we can get this fixed.
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 648064
You need to log in before you can comment on or make changes to this bug.