-
Notifications
You must be signed in to change notification settings - Fork 55
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Callback on every site accessing non-cookie storage #165
Comments
(Apologies for a rambling reply; I'm feeling under the weather at the moment but this does raise good questions so I thought I'd weigh in.) Integration of the actual storage endpoint API specs with Storage's bucket/bottle/etc model is very much a work in progress (at very low priority), and IMHO will likely require some tweaks to the Storage model. I believe the currently intended hook is defined in https://storage.spec.whatwg.org/#model and so you'd hook "obtain a storage bottle map". But again, this is all very much spec fiction at the moment and I think it's fair to say (but I'm happy to be corrected!) that we haven't done the work to align the specs with reality or vice versa, so it's difficult to answer the "could the browser run this algorithm for a non-site reason?" question. For example, I think user-initiated clearing browsing data would count? Non-storage APIs that need to follow the storage partitioning (e.g. BroadcastChannel, Web Locks, etc) also need a way to play here, and behind the scenes I assume the implementations use the storage keys, though that's not exported from Storage. |
For such APIs, the storage spec currently exports the "obtain a storage key for non-storage purposes" definition: https://storage.spec.whatwg.org/#obtain-a-storage-key-for-non-storage-purposes, which at least BroadcastChannel already uses in the spec. |
I'm trying to get a callback for every site that accesses any form of non-cookie storage. Which is the best algorithm to monkey patch from the Storage spec? I'm considering "obtain a storage key", but I'm not clear on the flow. Is this algorithm called once the first time an origin accesses local or session storage, and never before then? Also, could the browser run this algorithm for a non-site reason?
CC @inexorabletash @asutherland
The text was updated successfully, but these errors were encountered: