Haha! What a coincidence: I'm reading "Modern Operating Systems" written by Andrew Tanenbaum, and yesterday just read about LRU in chapter about memory management. And here it is :)
As a user, how do I prevent sites from storing hundreds of MB or even GBs of data in my computer without my consent? I mean something like "Ask By Default", and customizing quotas per-site.
you can usually specify the max size of your browser cache somewhere in the settings. not sure if you can do something more fine-grained. it could be up to the browser to decide what stays in the cache and what goes.
I think you mean to ask whether you should store user data in IndexedDB? If so, yes you can store user data, but it highly depends on what it is. Of course you don't want to store sensitive information that could be susceptible to cross-site scripting attacks, and you don't want to store any session/access keys that the user needs for for authenticating to a server, use cookies instead. However, it's fine to store small amounts of data, like user data, in localStorage. IndexedDB is great if you have large amounts of data_and/or you want to share the data with web and service workers. An example for usage of IndexedDB could be an image upload application, which allows the user to upload images, but allow them to work with those images, by caching them in the IndexedDB, while still uploading to a remote server. This way you provide fast and smooth UX.
Are you sure IndexedDB doesn't block main thread?? Just because something is asynchronous doesn't mean it's multi-threaded. Google Best Practices implies that IndexedDB still runs on the main thread developers.google.com/web/fundamentals/instant-and-offline/web-storage/indexeddb-best-practices. It's frustrating because I find conflicting sources such as this video, which stats that it doesn't block main thread, and then google link that I shared implies otherwise, this stackoverflow post stats that it does block the "UI"(which i guess means main thread) stackoverflow.com/a/5924778/8234457. I want to know for sure that way I can use Web Workers to access IndexedDB, in case IndexedDB runs on the main thread
so the storagemanager API lets me identify a user across pages by just comparing usage and quota bits? 3:42 I would build an ad that has this implemented, the user can disable cross domain cookies and such, but i will even be able to identify him trough incognito mode and can tell he is currently on p**nhub, ebay, and youtube. All without having to access his location data. Did I get this right?
@@calimio6 but thats just chrome and not the other browsers right? also that just removes incognito mode from finger printing but everything else is still possible.
@@steffenfrese2512 i don't know if it is common practice between browsers, it should be. And while you are right in some regard, is not the only way to track a person or device. The cursor motion for example is widely use, a good example is the recaptcha tool. What i'm trying to say is that there is nothing inheretly bad with this kind of apis. Buy you are right in the fact that they could be missused
Your backend should set the auth token as an HTTP-Only cookie. This prevents any JS on the page from accessing it (including your own) which cuts off a number of attack vectors, including rogue npm dependencies and CDN scripts. The backend will be able to see the cookie, and that's all that matters.
If you're writing an SPA that authenticates against a separate server than the server you are passing the token to, use sessionStorage API, it's like localStorage but persists only for that browser session. Cookies will only work if the server looks at cookies for the session info, if the server is expecting an HTTP header with a JWT token, then sessionStorage is the way to go, since it does not persist on disk.
Ok... so a big dream of mine is that the user decides which data is TRULY personal and which they are ok with us storing for them.... I say its a dream of mine because its looking as the advice has changed about IndexedDB which means its a matter of time before it goes the way of mySQL
What is the point in catching quota errors if browser evicts in a FIFO way my cache or other app caches ? Unless all cache is marked as persistent storage, it should be fine, nope ?
If the device runs out of space, for example a phone or tablet with a small storage space. Or, unlikely but possible, if you're trying to save a ton of stuff, and so is everyone else.
FIFO is not LRU. LRU is Least Recently Used and has nothing to do with the order in which data is inserted into the local storage. Whichever site/record was visited least recently gets evicted unless persistent. FIFO is a pure circular buffer and does not account for age, only order.
I recommend to use RxDB where you can actually observer queries and stuff. This makes it much easier to create a reactive UI instead of fiddling around with the indexedb API.
Wouldn’t enumerating available disk space help with calculating browser fingerprint more accurately? Especially after switching between browsing sessions (incognito vs std)
"only 300 megs" q.q thats about as much as i have free of my 80 gigs. Why does a random little app need 300 megs of storage, i have games installed that are smaller than that
Sure if the api calculates the total number of free bytes in the hard drive you can use that stat for fingerprinting 😄. One of many fingerprinting techniques.
No, 60% ;) However it's easy to find and clean up, since one button can remove it all. I'm more concerned about how native apps might abuse my file system in difficult to fix ways.
@@caleb_miller10 ye i remember the spotify issue where the app was making loooads of write and deletes to storage, needless to say it was diminishing the lifetime of the storage media
@@PeteLePage his question is my question. Take I have a site and start using the user's disk for storage, and try maliciously to use all space. Even if chrome removes data, isn't it possible for my script to notice and know the limit of the user space, and, therefore, learn how much it needs to fill and just adapt itself?
Imagine Microsoft blocking google ( domain ) and all google products on its os that's like half users using Google's products now gone 😂 I wonder if I should pitch this threat to larry maybe I'll become the next ceo of google and alphabet for pointing out a potential threat to company like sundar did apart from him being a computer science student and obviously impeccable knowledge about almost everything
I like the part that answers the truth or not of a statement at the beginning of the video. please make more. very helpful.
Chrome team always advances the web so much faster ! Thank you Pete and the team!
5:24 Incorrect variable names used for errors.
good **catch** 😂😂😂
D'oh! I always try to double check my code before putting it into slides. Sorry about that!
An obvious mistake is an obvious mistake unless shadowing which I don't think is the case here.
:googledevelopers:
@@victornpb Nice pun
Haha! What a coincidence: I'm reading "Modern Operating Systems" written by Andrew Tanenbaum, and yesterday just read about LRU in chapter about memory management. And here it is :)
LokiJS - good in-mem IndexedBD wrapper, but Cache Storage API is great...as was this summary.
Thanks! :D
You have full of positive energe, I like it
As a user, how do I prevent sites from storing hundreds of MB or even GBs of data in my computer without my consent? I mean something like "Ask By Default", and customizing quotas per-site.
you can usually specify the max size of your browser cache somewhere in the settings. not sure if you can do something more fine-grained. it could be up to the browser to decide what stays in the cache and what goes.
Private mode should prevent your browser from saving to storage, as well as not caching many other files.
This is making me rethink some of our storage use cases :) - Nice video :)
Does indexDB is vulnerable to XSS atack ?
It's incredibly helpful to me
great format. please continue making these
Does this allow for PWAs to locally store offline content? Perhaps save huge videos from streaming providers for offline access.
Yes it does
@@calimio6 Wonderful.
Incredible content, I love this kind of videos!
Great Content!
What kind of user data can your store on indexedDB? Example pls
I think you mean to ask whether you should store user data in IndexedDB? If so, yes you can store user data, but it highly depends on what it is. Of course you don't want to store sensitive information that could be susceptible to cross-site scripting attacks, and you don't want to store any session/access keys that the user needs for for authenticating to a server, use cookies instead.
However, it's fine to store small amounts of data, like user data, in localStorage. IndexedDB is great if you have large amounts of data_and/or you want to share the data with web and service workers.
An example for usage of IndexedDB could be an image upload application, which allows the user to upload images, but allow them to work with those images, by caching them in the IndexedDB, while still uploading to a remote server. This way you provide fast and smooth UX.
@@dealloc thanks, I really appreciate this👍
Are you sure IndexedDB doesn't block main thread?? Just because something is asynchronous doesn't mean it's multi-threaded. Google Best Practices implies that IndexedDB still runs on the main thread developers.google.com/web/fundamentals/instant-and-offline/web-storage/indexeddb-best-practices.
It's frustrating because I find conflicting sources such as this video, which stats that it doesn't block main thread, and then google link that I shared implies otherwise, this stackoverflow post stats that it does block the "UI"(which i guess means main thread) stackoverflow.com/a/5924778/8234457.
I want to know for sure that way I can use Web Workers to access IndexedDB, in case IndexedDB runs on the main thread
What if all the app apps are persisted?
❤ localStorage
so the storagemanager API lets me identify a user across pages by just comparing usage and quota bits? 3:42
I would build an ad that has this implemented, the user can disable cross domain cookies and such, but i will even be able to identify him trough incognito mode and can tell he is currently on p**nhub, ebay, and youtube. All without having to access his location data. Did I get this right?
The thing is that in incognito the browser lies to the webs to avoid this kind of tracking tactics
@@calimio6 but thats just chrome and not the other browsers right? also that just removes incognito mode from finger printing but everything else is still possible.
@@steffenfrese2512 i don't know if it is common practice between browsers, it should be. And while you are right in some regard, is not the only way to track a person or device. The cursor motion for example is widely use, a good example is the recaptcha tool. What i'm trying to say is that there is nothing inheretly bad with this kind of apis. Buy you are right in the fact that they could be missused
I'm using React for the first time for a decoupled frontend. Where should I store the user token that is used when talking to the backend?
I've not used React before, so I'm not sure. I'd recommend asking on StackOverflow to see if someone there can help.
Your backend should set the auth token as an HTTP-Only cookie. This prevents any JS on the page from accessing it (including your own) which cuts off a number of attack vectors, including rogue npm dependencies and CDN scripts. The backend will be able to see the cookie, and that's all that matters.
@@caleb_miller10 Are cookies transferred automatically when using fetch against the server?
@@jeyemGFX Yep! As long at the origin matches up, the browser will pass the cookies along.
If you're writing an SPA that authenticates against a separate server than the server you are passing the token to, use sessionStorage API, it's like localStorage but persists only for that browser session. Cookies will only work if the server looks at cookies for the session info, if the server is expecting an HTTP header with a JWT token, then sessionStorage is the way to go, since it does not persist on disk.
Ok... so a big dream of mine is that the user decides which data is TRULY personal and which they are ok with us storing for them.... I say its a dream of mine because its looking as the advice has changed about IndexedDB which means its a matter of time before it goes the way of mySQL
What is the point in catching quota errors if browser evicts in a FIFO way my cache or other app caches ?
Unless all cache is marked as persistent storage, it should be fine, nope ?
If the device runs out of space, for example a phone or tablet with a small storage space. Or, unlikely but possible, if you're trying to save a ton of stuff, and so is everyone else.
FIFO is not LRU. LRU is Least Recently Used and has nothing to do with the order in which data is inserted into the local storage. Whichever site/record was visited least recently gets evicted unless persistent. FIFO is a pure circular buffer and does not account for age, only order.
I recommend to use RxDB where you can actually observer queries and stuff. This makes it much easier to create a reactive UI instead of fiddling around with the indexedb API.
Wouldn’t enumerating available disk space help with calculating browser fingerprint more accurately? Especially after switching between browsing sessions (incognito vs std)
What fingerprint? useragent?
I didn't cover it in the video, but incognito handles storage a little differently, and "lies" about the amount of storage available.
@@PeteLePage I like this lying for good 😉
@@PeteLePage but that's just for incognito and that's only an edge case most likely only covered by chromium browsers and no one else right?
still going to use local storage and cookies thanks.
When you refer chrome do it means Androird Chrome too ! , do that too has 80% limit !?!
0:53. Now you've sent my PDSD again.
Hahaha - sorry. At least there's a good alternative now. And AppCache is finally being removed from Chrome.
Thank you.
what is origins which is mentioned many times.
domain
R.I.P. KV Storage
Easy to recode on your own with IndexedDB, but yes, it was a great built-in addition.
Yah, a little bummed about that one personally. :(
Him: check the link in the description
Description:
Local storage should be avoided? It depends, that's the answer.
Nice rocket on the windowsill :)
Noice content ❤️
"only 300 megs"
q.q thats about as much as i have free of my 80 gigs. Why does a random little app need 300 megs of storage, i have games installed that are smaller than that
Next Level: make this storage P2P, so other users may retrieve its parts (if the request meets your permissions) within an origin
Ain't this one more device fingerprinting instrument?
Sure if the api calculates the total number of free bytes in the hard drive you can use that stat for fingerprinting 😄. One of many fingerprinting techniques.
I want to hire you.
you're telling me a website could fill up 80% of my hardisk with crap at any moment?
Yes
No, 60% ;) However it's easy to find and clean up, since one button can remove it all. I'm more concerned about how native apps might abuse my file system in difficult to fix ways.
@@caleb_miller10 ye i remember the spotify issue where the app was making loooads of write and deletes to storage, needless to say it was diminishing the lifetime of the storage media
If 80% allow hard and one process 60% My mind come trick try glitch of chrome slow down browser and OS ... 😆
hm it will be chrome security risk because a web could use my disk freespace :(
i think i will uninstall chrome.
2gb firefox limit is good for me.
Chrome will never use your entire disk, the quota will kick in and Chrome will remove site data automatically.
@@PeteLePage his question is my question. Take I have a site and start using the user's disk for storage, and try maliciously to use all space. Even if chrome removes data, isn't it possible for my script to notice and know the limit of the user space, and, therefore, learn how much it needs to fill and just adapt itself?
Imagine Microsoft blocking google ( domain ) and all google products on its os that's like half users using Google's products now gone 😂 I wonder if I should pitch this threat to larry maybe I'll become the next ceo of google and alphabet for pointing out a potential threat to company like sundar did apart from him being a computer science student and obviously impeccable knowledge about almost everything
So... chrome is allowed to use most of my local storage? More reason to not use it.
Yea I was thinking that
persistent storage in Chrome is a joke, why not just make a popup request instead of relying on algorithm's decision
Internet explore has become so irrelevant, it is not mentioned.
A guy just lost 60k because hacker got into google picture account and find keypass
safari just breaks it....
101's comment
Stupid safari 🤣