let WHATWG 5 localStorage object be landed on 1.9.1, bug 422526

3 views
Skip to first unread message

Honza Bambas

unread,
Mar 2, 2009, 12:18:44 PM3/2/09
to dev-pl...@lists.mozilla.org
As recently discussed there are movements to reopen 1.9.1 (Firefox 3.1)
to new features. LocalStorage object implementation considered really
important for 3.1 missed the feature freeze just for few days on October
2008.

I believe it is important to introduce this new feature as it is a true
solution to security issues with the globalStorage object that has to be
replaced with localStorage and we want to adapt web developers to switch
to use localStorage ASAP. We introduce many new WHATWG feature in 3.1,
this should be one of them.

There is already a reviewed patch, just needs one last review round of
few change in security code introduced before the patch get landed on
trunk. There are complete tests and the localStorage code is based on
existing code for globalStorage.

The bug: https://bugzilla.mozilla.org/show_bug.cgi?id=422526

Opinions?
-hb-

Boris Zbarsky

unread,
Mar 2, 2009, 12:28:36 PM3/2/09
to
Honza Bambas wrote:
> There is already a reviewed patch, just needs one last review round of
> few change in security code introduced before the patch get landed on
> trunk.

That seems to me to fail the "small, isolated, easy to back out" criteria.

-Boris

Mike Beltzner

unread,
Mar 2, 2009, 12:31:02 PM3/2/09
to Honza Bambas, dev-pl...@lists.mozilla.org
On 2-Mar-09, at 12:18 PM, Honza Bambas wrote:

> As recently discussed there are movements to reopen 1.9.1 (Firefox
> 3.1) to new features. LocalStorage object implementation considered
> really important for 3.1 missed the feature freeze just for few days
> on October 2008.

To be clear, we're not talking about "opening 1.9.1 to new features."
As always, and as I've expressed before, we will continue to consider
safe, scoped, tested patches that convince us of a good reward for
risk tradeoff and actually solve problems that the web is experiencing
today.

> I believe it is important to introduce this new feature as it is a
> true solution to security issues with the globalStorage object that
> has to be replaced with localStorage and we want to adapt web
> developers to switch to use localStorage ASAP. We introduce many new
> WHATWG feature in 3.1, this should be one of them.

Do we know of developer demand for localStorage or even current use of
globalStorage? I understand the goals of the object, but don't
understand the current need or demand which will help me understand
the value of taking the change.

> There is already a reviewed patch, just needs one last review round
> of few change in security code introduced before the patch get

> landed on trunk. There are complete tests and the localStorage code
> is based on existing code for globalStorage.

That makes me think that we're probably low on the risk side, since
it's based on a feature that's baked. Have the people who did
globalStorage reviewed localStorage? Has it gone through a security
review?

> The bug: https://bugzilla.mozilla.org/show_bug.cgi?id=422526

Thanks for starting this conversation.

cheers,
mike

Honza Bambas

unread,
Mar 2, 2009, 1:54:54 PM3/2/09
to Mike Beltzner, dev-pl...@lists.mozilla.org
Mike Beltzner wrote:
> On 2-Mar-09, at 12:18 PM, Honza Bambas wrote:
> Do we know of developer demand for localStorage or even current use of
> globalStorage? I understand the goals of the object, but don't
> understand the current need or demand which will help me understand
> the value of taking the change.
>
We introduced some of new offline web applications technology with 1.9.0
and now we add more to 1.9.1 make it almost complete kit for making
offline web apps. A need to have a kind of a storage for local data (to
turn web apps to be really "offline") will rise with this. So, web
developers will start using globalStorage object at least. When we
replace it with localStorage, they have to adapt their web apps to use
localStorage.

Personally, as I'm an offline web app developer too, I consider using
wrapped globalStorage for my local data and let the wrapper be
automatically ready to use localStorage when it becomes introduced. So
it is not critical to have localStorage at the moment but puts some
effort to web developers and need to store data to both localStorage and
globalStorage to avoid compatibility problems and data loss when people
revert back to a version of browser w/o localStorage support.

From 'pure' web pages I am aware of just cnn.com using globalStorage
what is not that bad as we don't have to introduce massive evangelism to
adapt to localStorage.

>> There is already a reviewed patch, just needs one last review round
>> of few change in security code introduced before the patch get landed
>> on trunk. There are complete tests and the localStorage code is based
>> on existing code for globalStorage.
>
> That makes me think that we're probably low on the risk side, since
> it's based on a feature that's baked. Have the people who did
> globalStorage reviewed localStorage?

Yes


> Has it gone through a security review?
>

Not so far AFAIK, at least I didn't do that myself.


Boris Zbarsky wrote:


> Honza Bambas wrote:
>> There is already a reviewed patch, just needs one last review round
>> of few change in security code introduced before the patch get landed
>> on trunk.
>

> That seems to me to fail the "small, isolated, easy to back out"
> criteria.

I agree this is not easy to back out. There are changes to the database
keying model that affects global storage impl and also there are
database updates that are not that easy to revert when users go back to
an older version, however we just may not drop the old table. But, on
the other hand, this problem was already there between 1.8.1 and 1.9.0
when globalStorage was introduced - we drop all tables for the previous
browser version.

Also there is a work left, but it applies to current globalStorage impl
as well - storage event management is not AFAIK very complete.


Thanks for feedback.

-hb-

Clint Talbert

unread,
Mar 4, 2009, 1:43:11 PM3/4/09
to
On 3/2/09 9:31 AM, Mike Beltzner wrote:
> On 2-Mar-09, at 12:18 PM, Honza Bambas wrote:
>
> Do we know of developer demand for localStorage or even current use of
> globalStorage? I understand the goals of the object, but don't
> understand the current need or demand which will help me understand the
> value of taking the change.
I was at a python group meetup a few weeks ago and got accosted by a
developer who demanded to know how we were testing our throughput for
the HTML 5 localStorage implementation. I was a bit shocked by the
question (seeing as the patch hasn't landed...).

In further discussion with him I found out that he's developing a whole
slew of internet based games which will be using localStorage as the
caching mechanism for game state. So, that's a very alternative use for
the feature, and I thought I'd share that use case. It certainly gave me
a bunch of ideas about different ways to test the feature.

Clint

bent

unread,
Mar 5, 2009, 1:02:49 PM3/5/09
to
This may be neither here nor there, but Google has just added offline
to calendar through Gears:

http://gmailblog.blogspot.com/2009/03/view-google-calendar-offline.html

Now GMail, GReader, and GCal all use Gears. If there's anything we can
do to provide a spec-supported alternative to Gears sooner rather than
later then maybe we should try it?

-Ben

Jonas Sicking

unread,
Mar 5, 2009, 2:58:29 PM3/5/09
to

Additionally IE8 is shipping with localStorage so it would be a pretty
immediate gain for web developers.

Out of all the discussions around letting more features in, I think this
one is the most interesting I've heard mentioned.

/ Jonas

Mike Shaver

unread,
Mar 5, 2009, 3:12:43 PM3/5/09
to bent, dev-pl...@lists.mozilla.org

Do those applications rely only on things that are specified in the
offline work in WHATWG? (I doubt that the localStorage/globalStorage
thing is the only barrier.)

Mike

Mike Beltzner

unread,
Mar 5, 2009, 3:20:11 PM3/5/09
to Mike Shaver, dev-pl...@lists.mozilla.org, bent
On 5-Mar-09, at 3:12 PM, Mike Shaver wrote:

> On Thu, Mar 5, 2009 at 1:02 PM, bent <bent.m...@gmail.com> wrote:

> Do those applications rely only on things that are specified in the
> offline work in WHATWG? (I doubt that the localStorage/globalStorage
> thing is the only barrier.)

It's not, no. To support those things, AIUI, we'd need to implement
the Database Storage (5.11.2) feature of the HTML5 spec. Put plainly:
localStorage doesn't get us "native Gears compatibility".

cheers,
mike

Mike Shaver

unread,
Mar 5, 2009, 3:31:14 PM3/5/09
to Mike Beltzner, dev-pl...@lists.mozilla.org, bent

Would even that be sufficient (assuming that the HTML5 spec were
sufficiently detailed to implement without looking at someone else's
implementation source), or do they rely on other Gears features as
well? I had understood the latter, but haven't investigated in
sufficient detail to be sure.

Mike

bent

unread,
Mar 5, 2009, 3:35:09 PM3/5/09
to
Sorry, I didn't mean to imply that localStorage was the only thing
that stood in the way of achieving Gears parity... I should have said

"If there's anything we can do to provide a spec-supported alternative
to *some features* of Gears".

localStorage may not be all that GCal needs but it seems like it would
certainly allow other web apps to not require a Gears download. And
who knows, maybe GCal could survive just fine with only a decent
localStorage (I'm really not in any position to speculate)... The
point is that Gears is really all there is at the moment and it seems
smart to begin offering spec-supported alternatives, even if only to
certain pieces, as soon as we can.

-Ben

Mike Shaver

unread,
Mar 5, 2009, 4:05:18 PM3/5/09
to bent, dev-pl...@lists.mozilla.org
On Thu, Mar 5, 2009 at 3:35 PM, bent <bent.m...@gmail.com> wrote:
> localStorage may not be all that GCal needs but it seems like it would
> certainly allow other web apps to not require a Gears download.

It would be good to know how many such web apps there are, certainly,
or to have some representative samples.

Mike

Mike Beltzner

unread,
Mar 5, 2009, 4:11:04 PM3/5/09
to Mike Beltzner, dev-pl...@lists.mozilla.org, bent
On 5-Mar-09, at 4:08 PM, Mike Beltzner wrote:

> Fully agreed. I actually think we probably should take localStorage.
> I just wanted to make sure we were evaluating it in the right
> context. The fact that it's very similar to an already baked
> feature, and has had some bake time on trunk, gives me a great deal
> of confidence.

Sorry, I got mixed up here. This has *not* landed on trunk yet, which
changes my decision making context considerably, and removes that
great deal of confidence and replaces it with an equal measure of
apprehension.

cheers,
mike

Boris Zbarsky

unread,
Mar 5, 2009, 4:27:02 PM3/5/09
to
Mike Beltzner wrote:
> Sorry, I got mixed up here. This has *not* landed on trunk yet, which
> changes my decision making context considerably, and removes that great
> deal of confidence and replaces it with an equal measure of apprehension.

For what it's worth, that's about where I am, if my opinion of the "just

needs one last review round of few change in security code introduced"

characterization in Honza's original mail didn't make that clear.

-Boris

Honza Bambas

unread,
Mar 5, 2009, 4:49:57 PM3/5/09
to dev-pl...@lists.mozilla.org
The patch was ready to land, but before that happened, changes to dom
storage was made. When the patch gets soon reviewed (from jst) and gets
a security review, then is landed on trunk and things go well, will it
have more chances to land on 1.9.1?

Fact that IE8 is shipped with localStorage is IMHO strong motivation to
have it as well ASAP because web developers will get adapted to
localStorage. What we offer is globalStorage with a securoty restriction
and obsolete API. Now it's good time to add the localStorage, not many
web apps and sites use storage objects at the moment.

(BTW, beside localStorage I would also /much more/ appreciate SQL-like
storage for complex data, and I intend to introduce this support as an
extension based on mozStorage API, at least to give it a try and see the
problems why we don't want it in Gecko my self)


-hb-

Boris Zbarsky

unread,
Mar 5, 2009, 5:07:43 PM3/5/09
to
Honza Bambas wrote:
> (BTW, beside localStorage I would also /much more/ appreciate SQL-like
> storage for complex data, and I intend to introduce this support as an
> extension based on mozStorage API, at least to give it a try and see the
> problems why we don't want it in Gecko my self)

We have no problem with SQL-like storage. We just don't want to ship
something that exposes implementation details (e.g. behaves exactly like
a particular version of SQLLite, forcing us to ship that version
forevermore in order to avoid breaking website compat).

-Boris

Jonas Sicking

unread,
Mar 5, 2009, 5:54:50 PM3/5/09
to
Mike Shaver wrote:

> On Thu, Mar 5, 2009 at 2:58 PM, Jonas Sicking <jo...@sicking.cc> wrote:
>> Additionally IE8 is shipping with localStorage so it would be a pretty
>> immediate gain for web developers.
>>
>> Out of all the discussions around letting more features in, I think this one
>> is the most interesting I've heard mentioned.
>
> Interesting according to what criteria? The things we're interested
> in for 1.9.1b4 are "small, isolated, easy to back out, well-tested".
> It sounds like the localStorage work is invasive and not yet complete,
> so it doesn't seem interesting for this release at a casual glance.

The parts that make it interesting to me is that it's putting a useful
tool into web developers hands that they can take advantage of very quickly.

The patch is big though, but it seems pretty isolated at a glance. Seems
like most of the existing code it touches is the globalStorage object,
which means that testing for regressions should be fairly easy. It also
means that the worst case scenario (totally hosed globalStorage) is not
catastrophic.

We were in a similar situation for FF3.0 when we considered adding
postMessage. In the end we took that patch and I believe we are better
off because of it. But of course we might have just gotten lucky, and
the patch was smaller iirc.

Landing ASAP and lots of tests would definitely be a requirement though.

/ Jonas

Damon Sicore

unread,
Mar 5, 2009, 7:15:06 PM3/5/09
to Mike Shaver, dev-pl...@lists.mozilla.org, bent

On Mar 5, 2009, at 1:05 PM, Mike Shaver wrote:

> On Thu, Mar 5, 2009 at 3:35 PM, bent <bent.m...@gmail.com> wrote:

>> localStorage may not be all that GCal needs but it seems like it
>> would
>> certainly allow other web apps to not require a Gears download.
>

> It would be good to know how many such web apps there are, certainly,
> or to have some representative samples.

Wordpress 2.7.1 has support for Gears. You can interact with your
blog offline.

>
>
> Mike
> _______________________________________________
> dev-planning mailing list
> dev-pl...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-planning

Mike Beltzner

unread,
Mar 5, 2009, 7:17:51 PM3/5/09
to Damon Sicore, dev-pl...@lists.mozilla.org, bent, Mike Shaver
On 5-Mar-09, at 7:15 PM, Damon Sicore wrote:

>> It would be good to know how many such web apps there are, certainly,
>> or to have some representative samples.
>
> Wordpress 2.7.1 has support for Gears. You can interact with your
> blog offline.

The Wordpress 2.7.1 "turbo" function can actually work with the level
of offline-application support we have now. It uses globalStorage (I
think? or DOMStorage?) and application cache pinning, both of which we
support. They just need to turn on the Turbo button for Firefox 3.1.
There's a bug.

cheers,
mike

Jonas Sicking

unread,
Mar 5, 2009, 8:19:27 PM3/5/09
to Mike Beltzner, Damon Sicore, dev-pl...@lists.mozilla.org, bent, Mike Shaver

I'm pretty convinced that localStorage is something that developers will
find useful. As always it won't be enough to satisfy everyone, GMail
probably wouldn't want to store all your unread mail in localStorage,
but it could store a draft you're currently writing but that can't be
saved due to lost connection to the server.

So I think the question is rather if the patch is safe and finished
enough to go in. (where the 'safe' part includes back-out-ability and
tested-ness).

/ Jonas

Jonas Sicking

unread,
Mar 5, 2009, 8:19:27 PM3/5/09
to Mike Beltzner, dev-pl...@lists.mozilla.org, Mike Shaver, bent, Damon Sicore

I'm pretty convinced that localStorage is something that developers will

Boris Zbarsky

unread,
Mar 5, 2009, 8:36:59 PM3/5/09
to
Jonas Sicking wrote:
> We were in a similar situation for FF3.0 when we considered adding
> postMessage. In the end we took that patch and I believe we are better
> off because of it. But of course we might have just gotten lucky, and
> the patch was smaller iirc.

The patch was smaller. The feature was smaller in terms of behavior
complexity. The spec was smaller. These are not unrelated things...

Having been involved in some of the reviews for our globalStorage code
and followups, changes to this sort of thing at this stage scare me.

That said, having just read the patch, it's basically all changes to the
storage sql-munging and DOMWindow parts of storage, plus the classinfo
glue and tests. At least it's not touching the icky
docshell/windowwatcher parts....

-Boris

Dan Mosedale

unread,
Mar 6, 2009, 12:44:20 PM3/6/09
to

Whatever we implement isn't going to be perfectly specified, and is
additionally going to have some set of bugs and implementation details
that web developers are going to have to cope with down the road.
Whether that set does or doesn't happen to match a particular version of
SQLite doesn't seem all that interesting.

I guess I'm not clear on what alternative you're envisioning...

Dan

Shawn Wilsher

unread,
Mar 6, 2009, 1:08:08 PM3/6/09
to Dan Mosedale, dev-pl...@lists.mozilla.org
On 3/6/09 9:44 AM, Dan Mosedale wrote:
> Whatever we implement isn't going to be perfectly specified, and is
> additionally going to have some set of bugs and implementation details
> that web developers are going to have to cope with down the road.
> Whether that set does or doesn't happen to match a particular version of
> SQLite doesn't seem all that interesting.
>
> I guess I'm not clear on what alternative you're envisioning...
I think most folks unhappiness comes from the fact that there is
absolutely no specification on what "SQL" is. The unwritten rule is
"whatever SQLite does," but that's a horrible way to spec something out
(IMHO).

Besides, SQL doesn't feel like a very DOM-oriented API. We should be
able to do better...

Cheers,

Shawn

Boris Zbarsky

unread,
Mar 6, 2009, 1:35:47 PM3/6/09
to
Dan Mosedale wrote:
> Whatever we implement isn't going to be perfectly specified, and is
> additionally going to have some set of bugs and implementation details
> that web developers are going to have to cope with down the road.
> Whether that set does or doesn't happen to match a particular version of
> SQLite doesn't seem all that interesting.

While true, if we implement something with no spec at all, leaving it to
either web developer guesses or their reading of sqlite documentation
(which changes as they release new versions) to figure out what will
work and what won't, we end up with a much better chance of web
developers depending on something that we actually want to change.

> I guess I'm not clear on what alternative you're envisioning...

Actually writing down a description of the supported SQL, say?

-Boris

Mike Beltzner

unread,
Mar 6, 2009, 4:01:24 PM3/6/09
to Boris Zbarsky, dev-pl...@lists.mozilla.org
Hey everyone,

I think we've exhausted this topic and come to the following
conclusions:

- until localStorage is reviewed and baked on trunk, we can't
consider taking it on 1.9.1
- there is some - but not deep - evidence that localStorage would
aid problems being faced today by web application developers
- IE8 will implement localStorage, so we may want to consider it for
compatibility aims

I suggest we table an item at next Tuesday's roundtable meeting to
come to a conclusion, and if at all possible, get the feature reviewed
and landed on trunk ASAP.

A side conversation erupted about supporting HTML5 Databases, and
points were made about the pros and cons of doing so. I suggest that
topic is better suited for the mozilla.dev.platform group, not this
planning group.

cheers,
mike

Honza Bambas

unread,
Mar 6, 2009, 8:30:32 PM3/6/09
to Mike Beltzner, Boris Zbarsky, dev-pl...@lists.mozilla.org
Mike Beltzner wrote:
> A side conversation erupted about supporting HTML5 Databases, and
> points were made about the pros and cons of doing so. I suggest that
> topic is better suited for the mozilla.dev.platform group, not this
> planning group.
>
For those interested see
http://groups.google.cz/group/mozilla.dev.platform/browse_thread/thread/49aa555219df43ae#

-hb-

> cheers,
> mike

Robert O'Callahan

unread,
Mar 9, 2009, 10:03:59 PM3/9/09
to
On 3/3/09 6:31 AM, Mike Beltzner wrote:
> Do we know of developer demand for localStorage or even current use of
> globalStorage? I understand the goals of the object, but don't
> understand the current need or demand which will help me understand the
> value of taking the change.

People are waking up to the possibilities of HTML5 offline apps. E.g.
http://www.readwriteweb.com/archives/google_goes_html5_demoes_expermental_gmail.php
http://blog.msc-mobile.com/2009/03/03/1236073555483.html

Right now, the only client-side storage option we offer is
globalStorage, which is obsolete. If we don't offer localStorage, then
people aren't even going to bother trying our offline capabilities.
They'll target Webkit and probably end up using the SQL API instead.
That will not be a good result.

Rob

Reply all
Reply to author
Forward
0 new messages