NPAPI:ClearSiteData: Difference between revisions
Jump to navigation
Jump to search
| Line 99: | Line 99: | ||
Should it be part of the API? If so, what format? | Should it be part of the API? If so, what format? | ||
= Current Proposal = | = Current Proposal = | ||
* Last modified: Nov 19, 2010 | *Last modified: Nov 19, 2010 | ||
* | *Authors: Julian Reschke (greenbytes), Dan Witte <dwitte@mozilla.com>, Bernhard Bauer <bauerb@chromium.org>, Rajesh Gwalani <rgwalani@adobe.com> | ||
The current proposal is to add a new method, providing the new functionality: | The current proposal is to add a new method, providing the new functionality: | ||
<pre>NPError NPP_ClearSiteData( | |||
<pre> | |||
NPError NPP_ClearSiteData( | |||
PRUint64 flags, // what type of data to clear | PRUint64 flags, // what type of data to clear | ||
const char* origin, // limit to origin | const char* origin, // limit to origin | ||
PRUInt64 maxAge // max. age of information in seconds | PRUInt64 maxAge // max. age of information in seconds | ||
);</pre> | );</pre> | ||
New [https://developer.mozilla.org/en/NPAPI/Constants#Error_Codes NPError codes]: | |||
New [https://developer.mozilla.org/en/NPAPI/Constants#Error_Codes NPError codes]: | <pre>// can't clear by time range | ||
<pre> | |||
// can't clear by time range | |||
#define NPERR_TIMERANGE_NOT_SUPPORTED (NPERR_BASE + 14) | #define NPERR_TIMERANGE_NOT_SUPPORTED (NPERR_BASE + 14) | ||
// can't clear by | // can't clear by origin | ||
#define | #define NPERR_LIMITBYORIGIN_NOT_SUPPORTED (NPERR_BASE + 15) | ||
// malformed ' | // malformed 'origin' string | ||
#define | #define NPERR_MALFORMED_ORIGIN (NPERR_BASE + 16) | ||
</pre> | </pre> | ||
Semantics: | |||
*<code>flags</code> is a bitset representing which type(s) of data to clear; <code>0</code> means "clear all types". | |||
* <code>flags</code> is a bitset representing which type(s) of data to clear; <code>0</code> means "clear all types". | *The <code>domain</code> argument is interpreted as follows: | ||
* The <code>domain</code> argument is interpreted as follows: | **if a hostname of the form "foo.com", data in the "foo.com" domain and all subdomains should be cleared. In this form, <code>domain</code> must be a normalized ACE-encoded hostname, lowercased; must not contain a trailing dot; must not contain scheme, port, or other such fields; and must contain at least one embedded dot; | ||
** if a hostname of the form "foo.com", data in the "foo.com" domain and all subdomains should be cleared. In this form, <code>domain</code> must be a normalized ACE-encoded hostname, lowercased; must not contain a trailing dot; must not contain scheme, port, or other such fields; and must contain at least one embedded dot; | **if an IP address (either IPv4 or IPv6), data for that IP should be cleared; | ||
** if an IP address (either IPv4 or IPv6), data for that IP should be cleared; | **if <code>NULL</code>, all site-specific data and more generic data on browsing history (for instance, number of sites visited) should be cleared. | ||
** if <code>NULL</code>, all site-specific data and more generic data on browsing history (for instance, number of sites visited) should be cleared. | *<code>maxAge</code> is the maximum age of data to clear, inclusive, in seconds. If <code>maxAge</code> is <code>0</code>, no data is cleared. If <code>maxAge</code> is the maximum unsigned 64-bit integer, all data is cleared. | ||
* <code>maxAge</code> is the maximum age of data to clear, inclusive, in seconds. If <code>maxAge</code> is <code>0</code>, no data is cleared. If <code>maxAge</code> is the maximum unsigned 64-bit integer, all data is cleared. | |||
= Open Issues = | = Open Issues = | ||
Revision as of 19:34, 19 November 2010
Status
Under consideration.
Problem Summary
Allow browsers to request that plugins clear locally stored private data.
Overview of current UIs
| Type | Firefox | IE | Opera | Safari | Chrome |
|---|---|---|---|---|---|
| Browsing History | yes | yes | yes | yes | yes |
| Download History | yes | yes | yes | yes | yes |
| Form History | yes | yes | ? | yes | yes |
| Search History | yes | ? | ? | ? | ? |
| Cookies | yes | yes | temporary/all | yes | yes |
| Cache | yes | yes | yes | yes | yes |
| Active Logins | yes | yes | "password manager" | yes | yes |
| Site Preferences | yes | ? | ? | ? | ? |
In addition, IE has "InPrivate Filtering Data" (what is this?)
In addition, Opera has "delete password protected pages and data" and "bookmark visited times".
In addition, Safari has "webpage preview images", "website icons" and "top sites"
| Parameters | Firefox | IE | Opera | Safari | Chrome |
|---|---|---|---|---|---|
| Time Range | yes | no | no | no | yes |
| By Site | yes (context menu in history) | ?? | ?? | ?? | ?? |
Existing Discussion and Documentation
Mail thread on plugin-futures: https://mail.mozilla.org/private/plugin-futures/2010-January/001150.html
In particular, Lloyd Hilaiel proposed an alternate approach where plugins would store everything in a standard filesystem based layout, so the UA itself can do the clearing. See https://mail.mozilla.org/private/plugin-futures/2010-January/001156.html
Flash Local Storage: http://www.macromedia.com/support/documentation/en/flashplayer/help/help02.html
Firefox issue - clearing local storage with time range: https://bugzilla.mozilla.org/show_bug.cgi?id=527667
API Requirements
Clearing Privacy Data needs to be independent of whether the plugin is currently instantiated.
Type of Data
Flags:
- things the user enters, except for credentials (form data)
- credentials
- things cached by the UA (pages, preview images, icons)
- local data stored by the server / web application (cookies, HTML5 local storage, Flash/Silverlight local storage)
- history information (bookmarks, visited URIs)
- settings specific to a site (for instance, preferences with respect to privacy, script disabling...)
Time range
Several UAs offer to restrict the clear operation to a time range such as "today" or "last week".
In the API, this can be exposed as "last N minutes", or something like that.
We need to allow plugins to signal that they can't clear by time range, though.
(Return code, plus discoverability beforehand?)
Site/URI
Firefox supports "forget about this site". Other UAs do not appear to support this.
Should it be part of the API? If so, what format?
Current Proposal
- Last modified: Nov 19, 2010
- Authors: Julian Reschke (greenbytes), Dan Witte <dwitte@mozilla.com>, Bernhard Bauer <bauerb@chromium.org>, Rajesh Gwalani <rgwalani@adobe.com>
The current proposal is to add a new method, providing the new functionality:
NPError NPP_ClearSiteData( PRUint64 flags, // what type of data to clear const char* origin, // limit to origin PRUInt64 maxAge // max. age of information in seconds );
New NPError codes:
// can't clear by time range #define NPERR_TIMERANGE_NOT_SUPPORTED (NPERR_BASE + 14) // can't clear by origin #define NPERR_LIMITBYORIGIN_NOT_SUPPORTED (NPERR_BASE + 15) // malformed 'origin' string #define NPERR_MALFORMED_ORIGIN (NPERR_BASE + 16)
Semantics:
flagsis a bitset representing which type(s) of data to clear;0means "clear all types".- The
domainargument is interpreted as follows:- if a hostname of the form "foo.com", data in the "foo.com" domain and all subdomains should be cleared. In this form,
domainmust be a normalized ACE-encoded hostname, lowercased; must not contain a trailing dot; must not contain scheme, port, or other such fields; and must contain at least one embedded dot; - if an IP address (either IPv4 or IPv6), data for that IP should be cleared;
- if
NULL, all site-specific data and more generic data on browsing history (for instance, number of sites visited) should be cleared.
- if a hostname of the form "foo.com", data in the "foo.com" domain and all subdomains should be cleared. In this form,
maxAgeis the maximum age of data to clear, inclusive, in seconds. IfmaxAgeis0, no data is cleared. IfmaxAgeis the maximum unsigned 64-bit integer, all data is cleared.
Open Issues
- Do we need a discovery method?
- Should it be possible to clear all types with a single call? In which case the flags should be passed as bit set; this would also allow a forwards-compatible "delete-all"
- [dwitte] Yes: flags == 0 should mean "clear everything".
- What is the behavior of the 'site' argument? does 'foo.com' clear data for 'foo.com' and all subdomains? Does it work for IP addresses?
- If 'site' is NULL or the empty string, does all data get cleared?
- Does maxAge == 0 clear data regardless of age? Or maxAge == 2^31 - 1?
- 'NPN_ClearPrivacyData' seems like a strange name. 'NPN_ClearSiteData' perhaps?
- what's the syntax for an IPv6 address in site? As per RFC 3986 "IP-literal" ([1])?
- What should be the behavior when the plugin is not in memory or not running? Does it need to "clear privacy information" on next invocation? How to make the solution cross-OS?