Created attachment 359537 [details] Patch

What's the target use case / platform for this? Why just LocalStorage and not other storage technologies? Why doesn't this patch include regression tests? On Darwin platforms, our preferred solution for data protection is the application container and/or filesystem-level encryption. I could imagine adding API for other styles of data protection on non-Darwin platforms, but I think we would want that API to be per WebsiteDataStore, and not per individual storage technology.

+1 to encrypting the entire `WebsiteDataStore`. One use case would be to add an extra layer of protection for sensitive data in addition to filesystem-level encryption. As far as I know, there is no per-user encryption on macOS and no per-app encryption on Darwin platforms. Geoffrey, do you have some thoughts on how to implement such a feature? I’m new to WebKit. I assume we need to - Accept an encryption key. Should we support a single encryption algorithm/key type or support multiple? - Encrypt/decrypt data. Does this happen inside `WebsiteDataStore`? Are there existing cross-platform WebKit APIs for encryption/decryption that we can reuse?

> - Accept an encryption key. Should we support a single encryption > algorithm/key type or support multiple? I don't know. I suppose it depends on the purpose of the feature. If the purpose of the feature is to enable one user to encrypt their data separately from another user on the same device, then there's no obvious reason to allow a client to specify the encryption algorithm, and an API that picked an algorithm automatically would be easier to use. > - Encrypt/decrypt data. Does this happen inside `WebsiteDataStore`? Are > there existing cross-platform WebKit APIs for encryption/decryption that we > can reuse? This is a challenging question. WebKit uses many different storage technologies implicitly. Sometimes SQLite, sometimes flat files, sometimes encoded plists, sometimes something chosen by another framework in a way that is opaque to WebKit (e.g. cookies). It's not obvious to me at which layer we would perform encryption / decryption, or how to architect that. Getting to the point where you can override every storage operation with some kind of custom storage system is a pre-requisite to adding encryption, and probably the most challenging part of this feature proposal.

(In reply to Darren Mo from comment #3) > +1 to encrypting the entire `WebsiteDataStore`. > > One use case would be to add an extra layer of protection for sensitive data > in addition to filesystem-level encryption. As far as I know, there is no > per-user encryption on macOS and no per-app encryption on Darwin platforms. > Can you be more specific about the usecase? What do you want to achieve with this API?

(In reply to Sihui Liu from comment #5) > (In reply to Darren Mo from comment #3) > > +1 to encrypting the entire `WebsiteDataStore`. > > > > One use case would be to add an extra layer of protection for sensitive data > > in addition to filesystem-level encryption. As far as I know, there is no > > per-user encryption on macOS and no per-app encryption on Darwin platforms. > > > > Can you be more specific about the usecase? What do you want to achieve with > this API? Expanding on what I mentioned above: - Per-user encryption. Imagine multiple users share a computer. One user can read another user’s data without needing their password. (Dunno if filesystem permissions mitigate that somewhat but imagine the user has root privileges.) - Per-app encryption. Imagine multiple users share a single account or one user happens to know the account password of another user. In general, data should be readable by both users but perhaps one user has really sensitive information that they would like to keep private to themselves.