That's why we can be sure to lose our data saved in browser storage!

[PMario]

Hi folks,

Just to let you know, what's going on with Safari and other WebKit based browsers. This will probably affect everyone, which wants to use "TW Browser Storage plugin", which uses LocalStorage

There are some reactions already, but who knows. ...

have fun!

mario

Cite form: https://webkit.org/blog/10218/full-third-party-cookie-blocking-and-more/ at 2020.03.26 12:06
7-Day Cap on All Script-Writeable Storage

Back in February 2019, we announced that ITP would cap the expiry of client-side cookies to seven days. That change curbed third-party scripts’ use of first-party cookies for the purposes of cross-site tracking.

However, as many anticipated, third-party scripts moved to other means of first-party storage such as LocalStorage. If you have a look at what’s stored in the first-party space on many websites today, it’s littered with data keyed as various forms of “tracker brand user ID.” To make matters worse, APIs like LocalStorage have no expiry function at all, i.e. websites cannot even ask browsers to put a limit on how long such storage should stay around.

Now ITP has aligned the remaining script-writable storage forms with the existing client-side cookie restriction, deleting all of a website’s script-writable storage after seven days of Safari use without user interaction on the site. These are the script-writable storage forms affected (excluding some legacy website data types):

• Indexed DB
• LocalStorage
• Media keys
• SessionStorage
• Service Worker registrations

A Note On Web Applications Added to the Home Screen

As mentioned, the seven-day cap on script-writable storage is gated on “after seven days of Safari use without user interaction on the site.” That is the case in Safari. Web applications added to the home screen are not part of Safari and thus have their own counter of days of use. Their days of use will match actual use of the web application which resets the timer. We do not expect the first-party in such a web application to have its website data deleted.

If your web application does experience website data deletion, please let us know since we would consider it a serious bug. It is not the intention of Intelligent Tracking Prevention to delete website data for first parties in web applications.

 

[TonyM]

Mario

I would like to know more about what you think here. I know we sometimes take a different perspective on these issues, but I genuinly would like to know your view which I respect.

To me distributed apps and interactive browsers is the way of the future. I understand the need for security I have even worked in IT security as a professional but until recently I thought the browser wowsers were just overshooting, then I thought it was an example of the security tail wagging the dog.

But now, it seems to be the big internet players don't want us to ever detach from their attention seeking teat. If they can keep us connected they can continue to count us as a product to sell.

I believe it would be trivial to allow an appropriate user side permissions process that ruled in or out permanent local storage and also monitored and reported on local storage activities of apps and sites mediated by the browser.

If it were not already used I would call this an application firewall.

Yet I now realise the big players do not want us to be free and independent of them because if we are they may loose us, so I am not supprised they use security as an excuse to reduce our choice in how we use local storage. I am sure they wish we all had thin clients designed by them.

Safari is the browser driven by the most proprietary and closed market player, Apple. I believe that's why we see this kind of thing in their products first, it is too generous to believe they are doing it for our good. Lets hope Firefox can keep it open.

Regards
Tony

[Jeremy Ruston]

Hi Tony

Yet I now realise the big players do not want us to be free and independent of them because if we are they may loose us, so I am not supprised they use security as an excuse to reduce our choice in how we use local storage. I am sure they wish we all had thin clients designed by them.

Safari is the browser driven by the most proprietary and closed market player, Apple. I believe that's why we see this kind of thing in their products first, it is too generous to believe they are doing it for our good. Lets hope Firefox can keep it open.

Apple and WebKit are very clear that their motivation is user privacy, and in particular blocking the kind of third party tracking that Facebook and Google use to target advertisements as we move around the web. The problem is that local storage has been abused by advertisers ever since browsers clamped down on cookies; it’s not possible to stop the bad guys from abusing the feature without also blocking the good guys (otherwise the bad guys would just pretend to be good guys).

It sounds bleak at first, but it’s clear that the web has to continue to evolve as if every participant was potentially malicious. The obstacle we face at the moment is that the worlds leading browser is Chrome, a browser explicitly engineered to further business interests of Google, and there’s no chance that it will ever adopt the aggressive privacy protections offered by Apple. (One can get an insight into how much of Chrome is dubious from a privacy perspective by the long list of things that Microsoft takes out or disables for Edge https://www.thurrott.com/cloud/web-browsers/microsoft-edge/204585/these-are-the-features-microsoft-turned-off-or-replaced-in-chromium-based-edge

I understand why people stick to the old idea that Apple is motivated solely by lock-in, but I always recommend their stuff to people who can afford it for the simple reason that their business model is aligned with the interests of their users. They profit by selling the best hardware that they can make, and they have zero motivation to track me or invade my privacy.

Apple has an interesting history of taking privacy much more seriously than other vendors. For example, they introduced full disc encryption protected with the passcode with the iPhone 3GS, far ahead of any Android manufacturer. In fact, they engineered a separate secure enclave to make it possible to capture and store photos and videos while the phone was locked and the main disc was encrypted.

Another example is that Apple offers peer-to-peer file transfer via something they call AirDrop. Google would do that via the cloud, but Apple added a second wifi antenna to their devices so that when two devices exchange a file the protocol is actually that they use Bluetooth to find each other, and then one of the devices sets up an adhoc wifi network which the other device connects to for the file transfer.

Apple doesn’t usually go into those kind of details at product launches, they leave it to their security whitepapers. They are quite interesting and detailed:

https://support.apple.com/en-gb/guide/security/welcome/web

I’ve found that to understand the behaviour and motivations of corporations you need to look at the money flows from their perspective. The danger is getting sucked into easy anthropomorphism.

Best wishes

Jeremy

Regards
Tony

--
You received this message because you are subscribed to the Google Groups "TiddlyWiki" group.
To unsubscribe from this group and stop receiving emails from it, send an email to tiddlywiki+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/tiddlywiki/9cb14c00-8154-4d0d-82b5-2438676f7eaa%40googlegroups.com.

[Mark S.]

I wish there was some more detailed information on how to use browser storage. Sometimes it seems to work, and sometimes it doesn't.

For instance, does the storage immediately use the filter that you provide, or only on startup? What triggers the local saver to save (any change? tiddler closings?)

My main use case would be to use it with github pages. If you read the TOS, you realize that github could shut you down if they think you're abusing their service, which a commit every two or three seconds for an extended period of time would probably look like to them. So using local storage for a half hour or so before hitting the "save" button would allow you to work without fear of losing your work and yet be able to make a permanent save as needed. The 7 day cap would not be a problem in that case.

The other use would be in terms of mobile usage, where you're away. In that case, the download saver would be the best bet. On my device, local storage appears to work but, for instance, file backups doesn't. The download saver requires you to manually copy a file from the download directory to wherever you need it. This is pretty tedious. So using the local saver for a day or two would be really helpful. That way you would only need to perform a manual operation on an occasional basis.

[TiddlyTweeter]

Mark S. wrote:

I wish there was some more detailed information on how to use browser storage. Sometimes it seems to work, and sometimes it doesn't.

Agreed. For some TW that hold data for short term (e.g. student bookmarks some items for near immediate use) I have used it. But proved unreliable as a standard delivery method cross-browser.

I also wanted to figure out how you would back-up consistently so you could transport, if necessary.

What I thought might be a simple short-term solution got complicated to explain and also, often, use.

TT

[TiddlyTweeter]

Jeremy Ruston wrote:

Apple and WebKit are very clear that their motivation is user privacy, and in particular blocking the kind of third party tracking that Facebook and Google use to target advertisements as we move around the web. The problem is that local storage has been abused by advertisers ever since browsers clamped down on cookies; it’s not possible to stop the bad guys from abusing the feature without also blocking the good guys (otherwise the bad guys would just pretend to be good guys).

It sounds bleak at first, but it’s clear that the web has to continue to evolve as if every participant was potentially malicious. The obstacle we face at the moment is that the worlds leading browser is Chrome, a browser explicitly engineered to further business interests of Google, and there’s no chance that it will ever adopt the aggressive privacy protections offered by Apple. (One can get an insight into how much of Chrome is dubious from a privacy perspective by the long list of things that Microsoft takes out or disables for Edge https://www.thurrott.com/cloud/web-browsers/microsoft-edge/204585/these-are-the-features-microsoft-turned-off-or-replaced-in-chromium-based-edge

That Edge "reduction list" is very enlightening!

TT

[TiddlyTweeter]

PMario wrote:

Just to let you know, what's going on with Safari and other WebKit based browsers. This will probably affect everyone, which wants to use "TW Browser Storage plugin", which uses LocalStorage 

Cite form: https://webkit.org/blog/10218/full-third-party-cookie-blocking-and-more/ at 2020.03.26 12:06
7-Day Cap on All Script-Writeable Storage

... It is not the intention of Intelligent Tracking Prevention to delete website data for first parties in web applications.

 Just FYI I did notice that fairly decent anti-tracker tools like "Privacy Badger" don't appear to fully understand "local storage" on Chrome or Firefox.

TT

[PMario]

Hi folks,

I did manage to remove and lose my first post. So Jeremy was so kind to post it to me again.

So here it is again.

-------------------------

Hi Tony, 

I just wanted to point out, that browser internal persistent storage isn't and probably never will be ready, to be used in a "productive" tiddlywiki workflow, other than for experimenting. 

For a "Note taking app" we need to be sure, that our data is saved permanently. It shouldn't disappear on "strange rules", that nobody understands, or even wants to understand. 

Losing data in a shopping app isn't a big deal. It's nice that my online-shop web-app can identify me automatically, if I visit the site again. .. BUT it doesn't really matter if it doesn't. If I really need something, I'll log-in again. ... If I don't log in again, I probably didn't really need that stuff. .. GOOD ... money saved ;)

But if I lose 2 or more hours of refactoring work in tiddlywiki, this is a big problem. It really hurts users. 

As Jeremy pointed out, "the bad guys" miss-use local storage, since browsers block 3rd party cookies. They implement more and more advanced tracking mechanisms, to target us with Ads. 

That's one reason, why browsers allow us to select: "Delete cookies and site data when <your browser name here> is closed" in the "Security and Privacy" options. Most of those settings are "off by default". ... That's why they can be "miss-used".

So I do understand the decision, WebKit devs want to implement ... and doing it in the name of privacy ... is a good and plausible reason. BUT I think "hurting" Web-Apps is a nice side-effect. Apple has been against Web-apps all the time. They do favour native apps. ... Their native apps and nothing else.

I also think, that Apple makes "stunning" devices but I personally didn't buy one. I use a "self-made" PCs and I don't want to throw away all the stuff, just to be locked in, with overpriced hardware, that I can't change on my own or add additional memory. I won't buy hardware, where I can't install add-blockers, or run FireFox. (The real one, without WebKit.)

I haven't seen adds since early 2000th and I'm not going to change that. _And_ I need a keyboard. I just can't stand the on-screen "view-blocking" mess. 

If someone comes up with a Nokia E90 predecessor with a "real OS" instead of an advertising plattform, I'll throw my existing phone as far away as I can. 

have fun!

mario

[TiddlyTweeter]

PMario wrote:

...

Losing data in a shopping app isn't a big deal. It's nice that my online-shop web-app can identify me automatically, if I visit the site again. .. BUT it doesn't really matter if it doesn't. If I really need something, I'll log-in again. ... If I don't log in again, I probably didn't really need that stuff. .. GOOD ... money saved ;) 

But if I lose 2 or more hours of refactoring work in tiddlywiki, this is a big problem. It really hurts users. 

Right.

My issue is for frequent use is simply having some local universal method that works "out-of-the-box". 

The case use is specifically transient TW that hold data to select from for a few days by students.

These are not persistent wikis.

I played around with "local storage" to deliver that. 

In theory, naively, I thought it would be a "doddle" (easy). 

In reality it proved fine for ME, but for end users (the target) it proved cumbersome and confusing.

Regardless of other issues, IME, "local storage" is not a good universal way forward to simplicity.

TT