at a couple of blackhat/defcon presentations (like https://www.defcon.org/html/defcon-16/dc-16-speakers.html#Stamos ) the assertion was made that off-line storage in the browser is just like cookies on steroids, and all the same tracking and exploit mechanisms that have been used against cookies in the past should also be tried/researched against off-line storage. the suggestion was also made that users should be provided with all the same UI control mechanisms and options they have to control cookies including deletion of all and specific site off-line stores. this is a tracking bug to look at these issues and suggestions and figure out if there is any good work to be done here.

adding some more to the cc list that can bring perspective from those that have developed some off-line apps and prototypes.

sounds like dcamp is working in this area for fx3.1

jonath/dcamp, and ideas on if cookie/off-line ui unification can be looked at or maybe even landed for 3.1?

poking around on mac a bit this might translate into: 1) Moving "Off-line Storage" related stuff, currently on the "Advanced" Tab to the "Privacy" Tab. Right now "Advanced" is looking like sort of a grab bag of random stuff. "Privacy" also has related off-line stuff included under "Clear Private Data" [settings] ... anyone spot other ideas? That one change might go a long way towards the suggested unification. Other unification points like integration into clearing private data look like they have already been done.

I guess we do use some differences in terminology and ordering for basically the same operations in both the cookie and storage ui. Cookies ------- [x] Accept Cookies from sites [exceptions] [x] accept 3rd party cookies [x] Keep until they expire|close|ask [show cookies] Off-line -------- Use up to [xx] space [global clear now] [x] Tell me when a website wants to store data for off-line use [exceptions] [list of sites storing data] [remove (a single site?)]

There's also bug 506692 with some discussion, and I'm not sure whether to resolve either of these two as a duplicate, so adding dependency.

Is offline storage only analogous to first party cookies? Or is there an equivalent with offline storage to third party cookies.

yeah, that's probably one way to think about it... o/l storage is like first party cookies since the info stored must be from the same domain as the site you are visiting. https://developer.mozilla.org/en/dom/storage has more technical detail on how this works and the "Storage location and clearing the data" section of that page has some reference to how dom storage interacts with the operations on cookies. adding sicking to 'cc

(In reply to comment #8) > Is offline storage only analogous to first party cookies? Or is there an > equivalent with offline storage to third party cookies. LocalStorage can be analogous to third-party cookies since you can open a third-party iframe which uses localstorage and communicate with it. IndexedDB is diabled in cross-site iframes, so it only exists as first-party storage.

Also, weren't we working on a totally different approach for specifying site-specific info. Where instead of having a cookie manager, a offline manager etc, we'd have a single "about this website" UI. This was originally targetted for FF4 but didn't make it. Is this being picked up for a later release? Is there a tracking bug?

(In reply to comment #11) > This was originally targetted for FF4 but didn't make it. Is this being picked > up for a later release? Is there a tracking bug? Boriss would know!

(In reply to comment #11) > ... a single "about this website" UI. > > This was originally targetted for FF4 but didn't make it. Is this being picked > up for a later release? Is there a tracking bug? That's bug 573176 I think!

>LocalStorage can be analogous to third-party cookies since you can open a >third-party iframe which uses localstorage and communicate with it. Do we currently have a means of disabling this? It seems like any users who are interested in disabling third party cookies would also want to turn of third party localstorage, since they are then functionally the same. We might want to collapse these two items into a single pref, since understanding the differences between the two surfaces too much of implementation model of the Web.

We don't currently have the ability to disable third-party localStorage no. Please file a bug on that, I definitely think it's something we should have.

Sure thing, filed bug 650409

Maybe this should fit in the site-specific privacy preferences (see bug 573176) ?

We're going to merge cookies into the site data manager in bug 1421737 and try to make it replace any UI that would present cookies separately from site data, I think it's safe to dupe as I don't see this bug going anywhere (and I don't see the difference to bug 506692).