--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAD649j7iH%2ByPhw3diPWwsNVsonXc%3D-cNPLB4yPB7qXYx6cw-_A%40mail.gmail.com.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAD649j7iH%2ByPhw3diPWwsNVsonXc%3D-cNPLB4yPB7qXYx6cw-_A%40mail.gmail.com.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOMQ%2Bw9xbhX%2BRKBO8e4SVxOL5oxs2nCKRy3a%3DiQbnh1mXidAtQ%40mail.gmail.com.
LGTM2, but I found https://github.com/whatwg/storage/issues/31 + https://github.com/whatwg/storage/issues/35 and am not sure if there's a problem here? Has there been a security review of this?
Misc. trivial feedback:I eyeballed the IDL and found "Should have [SecureContext] on interface" on StorageManager, is that possible to fix now or blocked on something?
Of the open spec issues, would any of these have an impact on navigator.storage.estimate()?
On the wpt side, great to see the shared test suite, and it looks like we're using that exclusively for navigator.storage.estimate(), yay! I found https://github.com/w3c/web-platform-tests/issues/5340, I take it that isn't tested or doesn't make sense in our implementation?
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
--
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAD649j7iH%2ByPhw3diPWwsNVsonXc%3D-cNPLB4yPB7qXYx6cw-_A%40mail.gmail.com.
You received this message because you are subscribed to the Google Groups "blink-dev" group.
On Mon, May 22, 2017 at 5:22 AM, Philip Jägenstedt <foo...@chromium.org> wrote:LGTM2, but I found https://github.com/whatwg/storage/issues/31 + https://github.com/whatwg/storage/issues/35 and am not sure if there's a problem here? Has there been a security review of this?Re: #31 - there is work going on to obfuscate the sizes of cross origin resources. Note that the same data is exposed by the current Chrome-only quota APIs, so as far as Chrome is concerned this API is not revealing any new data.Re: #35 - not explicitly; again, same data being revealed by existing APIs.
Misc. trivial feedback:I eyeballed the IDL and found "Should have [SecureContext] on interface" on StorageManager, is that possible to fix now or blocked on something?Not a blocker; this was a limitation in the bindings code generator present from when persist()/persisted() were shipped. IIRC, the existence of the StorageManager interface currently 'leaks' into non-secure contexts but the attribute/methods do not. I saw a CL go by recently that may add this support.
Of the open spec issues, would any of these have an impact on navigator.storage.estimate()?Cookies and DOMStorage don't count towards Quota in Blink. Both have separate limits and LRU logic. That's something we'd like to revisit over time; the API doesn't preclude accounting changes. Cookies get particularly tricky as they are not origin-scoped.
The "boxes" concept in the spec is currently just spec fiction; an origin has exactly one "box" that everything storage-related goes into. There has been the thought that an origin could create multiple boxes for ease of resource management. This API (navigator.storage.estimate()) would apply to the entire origin; there would presumably be a way to ask a box how big it is, and we'd need a way to refer to usage of the "default box" distinct from total usage.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
--
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAD649j7iH%2ByPhw3diPWwsNVsonXc%3D-cNPLB4yPB7qXYx6cw-_A%40mail.gmail.com.
You received this message because you are subscribed to the Google Groups "blink-dev" group.
On Mon, May 22, 2017 at 7:14 PM Joshua Bell <jsb...@chromium.org> wrote:On Mon, May 22, 2017 at 5:22 AM, Philip Jägenstedt <foo...@chromium.org> wrote:LGTM2, but I found https://github.com/whatwg/storage/issues/31 + https://github.com/whatwg/storage/issues/35 and am not sure if there's a problem here? Has there been a security review of this?Re: #31 - there is work going on to obfuscate the sizes of cross origin resources. Note that the same data is exposed by the current Chrome-only quota APIs, so as far as Chrome is concerned this API is not revealing any new data.Re: #35 - not explicitly; again, same data being revealed by existing APIs.Is there a tracking bug for that obfuscation, that wouldn't be vulnerable to adding the same resource many times with '?'+Math.random() appended? As long as it's very unlikely that we won't want to fix it by removing navigator.storage.estimate() again, then it sounds fine.
Misc. trivial feedback:I eyeballed the IDL and found "Should have [SecureContext] on interface" on StorageManager, is that possible to fix now or blocked on something?Not a blocker; this was a limitation in the bindings code generator present from when persist()/persisted() were shipped. IIRC, the existence of the StorageManager interface currently 'leaks' into non-secure contexts but the attribute/methods do not. I saw a CL go by recently that may add this support.Judging just by the IDL files, it looks like there'll be no way to get an instance of StorageManager in non-secure contexts, but StorageManager.prototype.estimate and friends will be visible, although useless.
Credential.idl has SecureContext on an interface, so perhaps it now works. Or not.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
--
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAD649j7iH%2ByPhw3diPWwsNVsonXc%3D-cNPLB4yPB7qXYx6cw-_A%40mail.gmail.com.
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAD649j7jgthZDq03Mf359Aik1Ye6V-aAsW0Cp3hxG7rTUM939w%40mail.gmail.com.