-
Notifications
You must be signed in to change notification settings - Fork 312
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Should UUID for unique IDs be mandated? #647
Comments
I don't think we should mandate it. It should just be a unique id but with some constraints I guess. @annevk pointed out the privacy implication of the id at #643 The app: URI scheme spec also uses UUID and has a similar privacy and security considerations: http://www.w3.org/TR/2013/WD-app-uri-20130516/#privacy So, I think I have to update the text considering those points. Please let me know if anyone has a more specific suggestion. |
I think the File API is wrong in not requiring something specific. Having said that, I'm not really sure we need UUIDs. The identifiers need to be unique per-origin, not globally. Having them globally unique might actually not be good for the user. As for a primitive, the Web Crypto API defines a randomness primitive. |
An id being unique per origin means the object can be accessed in globally unique manner during its lifetime (i.e. origin + id). So its security implication is not different from using a UUID I think. |
Using and requiring UUIDs should be fine here. We're not adding any new level of privacy concern. Same ids can be in IDB for example. And they don't live longer than the cache clearing lifetime. Closing. |
Having discussed with @michael-nordman, it seems the implementers want more flexibility in how they use the types for ids as they're minted from inside the platform. I thought requiring a uuid seems better as otherwise devs will see different types of ids from different browsers. What do you think about altering this requirement? FYI, Chrome's using a string serialized from a 64-bit interger. |
F2F:
|
Addressed: 66ff7c7. |
UUIDs are awesome.
But I notice that http://www.w3.org/TR/FileAPI/ goes out of the way to only make use of UUIDs a SHOULD not a MUST for unique IDs. Do we want to require the use of UUIDs for SW, or use less strict requirements, like File does?
(Also... if this is the first place in the platform that is outright requiring UUIDs, should we be good anti-magicians and add a UUID-minting function somewhere? Not in the SW spec, of course...)
The text was updated successfully, but these errors were encountered: