Persistent storage against webkit's ITP #245
Comments
|
I just want to add support to this ticket as well. Losing access to a keypair after 7-days negates a lot of use-cases for us. |
|
For anything to happen on this, we would need somebody to take responsibility for actively driving further discussion about it. We’re looking for an editor to possibly do that — #249 — but in the mean time, unless someone else picks up the work on this, it’s unlikely anything will happen with it. |
|
I agree that this is an issue, but IMHO, this issue can't be solved in the Web Crypto spec. The reason is that from the point of view of tracking prevention, stored key material can be used as a unique tracking identifier just as much as any other stored data. Therefore, the implementer needs to take tracking into account just as much as for any other storage. Thus, a general solution is needed. That general solution might look something like StorageManager.persist() (MDN), which Chrome and Firefox already implement. So I would suggest opening an issue for that in webkit, perhaps pointing to storing Web Crypto keys as one of the use-cases. |
Hi everyone.
In this standard, it is expected that the developers are using the Indexed DB for storing the crypto object.
https://www.w3.org/TR/WebCryptoAPI/#concepts-key-storage
However, the webkit published a "7-Day Cap on All Script-Writeable Storage" several months before, which the Indexed DB is also included.
https://webkit.org/blog/10218/full-third-party-cookie-blocking-and-more/
According to this policy, if user doesn't interact on the certain site for 7 days, the storage will be cleared.
This makes the storage unavailable for persistent store crypto object.
I understand defining which storage to use is out of the scope of this specification, however in most cases using this API (especially using for SPA), persistent storage is a must.
Do you have any suggestion against ITP? Thank you in advance.
The text was updated successfully, but these errors were encountered: