How to treat localStorage and sessionStorage

[joelweinberger]

To avoid the pitfalls of just removing storage completely from Suborigins, we need to be more specific about how localStorage and sessionStorage are handled. The three options off the top of my head are:

• Bad access to both, a la sandbox. Has the disadvantage that access throws an exception, making transferring applications to use Suborigins difficult.
• Create the relevant objects and allow use, but don't do any backing in the user agent. Nice because it is simple to spec and implement, and pretty much would be invisible to the user. Tough because this would be surprising behavior to a developer.
• Treat Suborigins as a new origin with their own localStorage and sessionStorage. Good because it is probably the easiest to transfer applications to, but tough because it would be difficult to figure out how to best present this to users, especially in UX.

I lean heavily towards the 3rd option because it's the "purest," and, on practical level, I think it can probably be hidden from users in the UX pretty easily.

[annevk]

I would prefer we try to ban these since they are synchronous I/O and should have no place on the platform.

[joelweinberger]

I'll let @devd and @arturjanc comment, but we've already seen issues with converting applications to sandbox and Suborigins that makes banning them impractical. I also don't particular think Suborigins is the right place to deprecate APIs because we don't like their design, but that's more of a philosophical point.

[devd]

Since suborigins are explicitly designed for "old code not trusted", it seems weird to force "this is how the future should look like" in suborigins. Sorry! I agree we want to kill these, but I don't think this is the place.

[arturjanc]

+1 to @devd / @metromoxie, I think we should maintain "feature parity" with non-suborigin contexts. Any time suborigins take something away we reduce the number of applications which can adopt them, and in the end reduce their security value.

FWIW I also like option 3; suborigins could be presented very similarly to subdomains in most UIs.

[annevk]

@devd well, now you're putting an additional tax on everyone implementing these APIs by making them more complicated.

[devd]

My general thinking is that I am ok removing all the other synchronous APIs if we can keep localStorage or one such synchronous API around. Otherwise it becomes really painful to fake these.

[mitar]

Treat Suborigins as a new origin with their own localStorage and sessionStorage. Good because it is probably the easiest to transfer applications to, but tough because it would be difficult to figure out how to best present this to users, especially in UX.

Please do this option. Using sessionStorage is very useful in our case for communicating between multiple iframes in the same suborigin. It allows a nice secure channel of communication where one does not need handles of other iframes, or postmessage over the main origin.

[mitar]

I do not see really a reason why each suborigin would not simply get their own copy of localStorage and sessionStorage?

[devd]

@jeisinger does the current implementation support localStorage in suborigins?

[arturjanc]

Yes: https://arturjanc.com/cgi-bin/suborigin-testing/localstorage.py (obviously still needs the Experimental Web Platform features flag set in Chrome).

[devd]

Should we close this out for v1? Almost everything else can be shim'ed using localStorage I believe

On May 14, 2017 10:05 AM, "arturjanc" notifications@github.com wrote:

Yes: https://arturjanc.com/cgi-bin/suborigin-testing/localstorage.py (obviously still needs the Experimental Web Platform features flag set in Chrome).

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/w3c/webappsec-suborigins/issues/34#issuecomment-301325761, or mute the thread https://github.com/notifications/unsubscribe-auth/AAIXGabdXfRQUiRItEgilndYuOqSi6awks5r5zRrgaJpZM4IWuG_ .

[jeisinger]

fwiw, we separate all storage mechanisms by suborigin, so I guess it's fine to close this one

[annevk]

FWIW, it's unclear to me that changing the meaning of "origin" is the way to go. While more work, it seems better to change "origin" to "suborigin" (or some such) where needed and add the relevant tests for each case. That ensures we covered all ground and implementations won't miss anything.

Changing the meaning of an existing well understood concept was also tried with shadow DOM and it took years to sort it through.

[devd]

hey Anne! Sorry; I don't understand the concern you are referencing. Do you mind flagging the issue more explicitly? I am sure you are right but just trying to understand the concern more clearly.

[annevk]

The concern is that we have a lot of standards prose branching on origin. Rather than changing how that works without going through it all, it seems better to explicitly change the prose that needs to branch on suborigins instead.

So instead of saying "this should be physical origin" we say "this should be suborigin".

[devd]

aah ok. I think that's fine: per Jochen's note, that's what chrome does (tie storage to suborigins). Is there a particular wording change somewhere in the suborigin spec that you are alluding to? Or is this in the html spec?

[annevk]

If we go the way I suggest we'd have to change HTML for localStorage/sessionStorage (and every other feature that becomes suborigin rather than origin-bound).

[annevk]

With respect to OP I think we are concluded that localStorage and sessionStorage get their own double-keyed area, just like Indexed DB and others. How to make sure this is carefully defined is still a bit up in the air.

(To the question whether this generalizes to Origin Isolation, I don't think it should. It would make transitioning an origin to be isolated harder for marginal benefit when transitioning to isolated origins.

cc @estark37)