Clear Site Data

Editor’s Draft,

This version:
https://w3c.github.io/webappsec/specs/clear-site-data/
Latest version:
http://www.w3.org/TR/clear-site-data/
Feedback:
public-webappsec@w3.org with subject line “[clear-site-data] … message topic …” (archives)
Issue Tracking:
GitHub
Inline In Spec
Editor:
(Google Inc.)
Bug Reports:
via the w3c/webappsec repository on GitHub

Copyright © 2015 W3C® (MIT, ERCIM, Keio, Beihang). W3C liability, trademark and document use rules apply.

Abstract

This document defines an imperative mechanism which allows web developers to instruct a user agent to clear a site’s locally stored data related to a host and its subdomains.

Status of this document

This is a public copy of the editors’ draft. It is provided for discussion only and may change at any moment. Its publication here does not imply endorsement of its contents by W3C. Don’t cite this document other than as work in progress.

Changes to this document may be tracked at https://github.com/w3c/webappsec.

The (archived) public mailing list public-webappsec@w3.org (see instructions) is preferred for discussion of this specification. When sending e-mail, please put the text “clear-site-data” in the subject, preferably like this: “[clear-site-data] …summary of comment…

This document was produced by the Web Application Security Working Group.

This document was produced by a group operating under the 5 February 2004 W3C Patent Policy. W3C maintains a public list of any patent disclosures made in connection with the deliverables of the group; that page also includes instructions for disclosing a patent. An individual who has actual knowledge of a patent which the individual believes contains Essential Claim(s) must disclose the information in accordance with section 6 of the W3C Patent Policy.

This document is governed by the 1 August 2014 W3C Process Document.

Table of Contents

1. Introduction

This section is not normative.

Web applications store data locally on a user’s computer in order to provide functionality while the user is offline, and to increase performance when the user is online. These local caches have significant advantages for both users and developers, but present risks as well.

A user’s data is both sensitive and valuable; web developers ought to take reasonable steps to protect it. One such step would be to encrypt data before storing it. Another would be to remove data from the user’s machine when it is no longer necessary (for example, when the user signs out of the application, or deletes their account).

Site authors can remove data from a number of storage mechanisms via JavaScript, but others are difficult to deal with reliably. Consider cookies, for instance, which can be partially cleared via JavaScript access to document.cookie. HttpOnly cookies, however, can only be removed via a number of Set-Cookie headers in an HTTP response. This, of course, requires exhaustive knowledge of all the cookies set for a host, which can be complicated to ascertain. Cache is still harder; no imperative interface to a browser’s network cache exists, period.

This document defines a new mechanism to deal with removing data from these and other types of local storage, giving web developers the ability to clear out a user’s local cache of data via the Clear-Site-Data HTTP response header.

1.1. Examples

1.1.1. Signing Out

A user signs out of Super Secret Social Network via a CSRF-protected POST to https://supersecretsocialnetwork.example.com/logout, and the site author wishes to ensure that locally stored data is removed as a result.

They can do so by sending the following HTTP header in the response:

Clear-Site-Data: *

1.1.2. Targeted Clearing

A user signs out of Megacorp Inc.'s site via a CSRF-protected POST to https://megacorp.example.com/logout. Megacorp has a large number of services available as subdomains, so many that it’s not entirely clear which of them would be safe to clear as a response to a logout action. One option would be to simply clear everything, and deal with the fallout. Megacorp’s CEO, however, once lost hours and hours of progress in "Irate Ibexes" due to inadvertent site-data clearing, and so refuses to allow such a sweeping impact to the site’s users.

The developers know, however, that the "Minus" application is certainly safe to clear out. They can target this specific subdomain by including a request to that subdomain as part of the logout landing page (ideally as a CORS-enabled, CSRF-protected POST):

fetch("https://minus.megacorp.example.com/clear-site-data",
      {
          method: "POST",
          mode: "cors",
          headers: new Headers({
              "CSRF": "[insert sekrit token here]"
          })
      });

That endpoint would return proper CORS headers in response to that request’s preflight, and would return the following header for the actual request:

Clear-Site-Data: *; includeSubdomains

1.1.3. Keep Critical Cookies

A user opts-out of interest-based advertising via a CSRF-protected POST to https://ads-are-awesome.example.com/optout. The site author wishes to remove DOM-accessible data which might contain tracking information, but needs to ensure that the opt-out cookie which the user has just received isn’t wiped along with it.

They can do so by sending the following HTTP header in the response, which includes all the types except for "cookies":

Clear-Site-Data: storage; executionContexts; cache; includeSubdomains

1.1.4. Kill Switch

Super Secret Social Network’s developers learn that the site was vulnerable to cross-site scripting attacks which allowed malicious parties to inject arbitrary code into its origin. They fixed the site, and added a strong Content Security Policy [CSP2] to mitigate the risk going forward, but they can’t be entirely sure that clients are really back to a trustworthy state. Perhaps the attackers found a clever persistence mechanism?

They can reduce the risk of a persistent client-side XSS by sending the following HTTP header in a response to wipe out local sources of data:

Clear-Site-Data: *; includeSubdomains

Note: Installing a Service Worker guarantees that a request will go out to a server every ~24 hours. That update ping would be a wonderful time to send a header like this one in case of catastrophe. [SERVICE-WORKERS]

1.2. Goals

Generally, the goal is to allow web developers more control over the data stored locally by a user agent for their origins. In particular, developers should be able to reliably ensure the following:

  1. Data stored in an origin’s client-side storage mechanisms like [INDEXEDDB], WebSQL, Filesystem, localStorage, and sessionStorage is cleared.

  2. Cookies for an origin’s host are removed [RFC6265].

  3. Web Workers (dedicated and shared) running for an origin are terminated.

  4. Service Workers registered for an origin are terminated and deregistered.

  5. Resources from an origin are removed from the user agent’s local cache.

  6. All of the above can be propagated to an origin’s host’s subdomains.

  7. All of the above can be propagated to the HTTP version of an HTTPS origin.

  8. None of the above can be bypassed by a maliciously active document that retains interesting data in memory, and rewrites it if it’s cleared.

2. Clearing Site Data

Developers may instruct a user agent to clear various types of relevant data in two ways: an HTTP response header, and a JavaScript API:

The Clear-Site-Data HTTP response header field sends a signal to the user agent that it ought to remove all data of a certain set of types. The header is represented by the following ABNF [RFC5234]:

Clear-Site-Data = 1#option
option = parameter *( OWS ";" [ OWS parameter ] )
parameter = key [ BWS "=" value ]
key = token
value = token / quoted-string

Note: The BWS, OWS, token, and quoted-string rules as well as the #rule list extension are defined in [RFC7230].

The Clear-Site-Data header’s value is essentially a semicolon-delimited list of "[key]=[value]" pairs which define the kinds of data to be cleared for a given response.

The following subsections define an initial set of known parameter components; future versions of this document may define additional parameter components: the ABNF above is intentionally generic and extensible to make room for these future values, and user agents MUST ignore unknown parameter components when parsing the header’s value.

2.1.1. The cache parameter

The cache parameter indicates that the server wishes to remove locally cached data associated with the origin of a particular response’s url. This includes the network cache, of course, but will also remove data from various other caches which a user agent implements (prerendered pages, script caches, shader caches, etc.).

The value component of this parameter is currently ignored, if present.

Implementation details are in §3.4.3 Clear cache for origin with subdomain state, as part of the larger §3.2 Clear data for response and §3.3 Clear data for storageRequestOptions algorithms.

When delivered with a response from https://example.com/clear, the following header will cause caches associated with the origin https://example.com to be cleared: 
Clear-Site-Data: cache

2.1.2. The cookies parameter

The cookies parameter indicates that the server wishes to remove cookies associated with the origin of a particular response’s url. This includes the network cache, of course, but will also remove data from various other caches which a user agent implements (prerendered pages, script caches, shader caches, etc.).

The value component of this parameter is currently ignored, if present.

Implementation details are in §3.4.3 Clear cache for origin with subdomain state, as part of the larger §3.2 Clear data for response and §3.3 Clear data for storageRequestOptions algorithms.

When delivered with a response from https://example.com/clear, the following header will cause cookies associated with the origin https://example.com to be cleared: 
Clear-Site-Data: cookies

2.1.3. The storage parameter

The storage parameter indicates that the server wishes to remove locally stored data associated with the origin of a particular response’s url. This includes storage mechansims such as (localStorage, sessionStorage, [INDEXEDDB], [WEBDATABASE], etc), as well as tangentially related mechainsm such as service worker registrations.

The value component of this parameter is currently ignored, if present.

Implementation details are in §3.4.5 Clear DOM-accessible storage for origin with subdomain state, as part of the larger §3.2 Clear data for response and §3.3 Clear data for storageRequestOptions algorithms.

When delivered with a response from https://example.com/clear, the following header will cause DOM-accessible storage for the origin https://example.com to be cleared: 
Clear-Site-Data: storage

2.1.4. The executionContexts parameter

The executionContexts parameter indicates that the server wishes to neuter and reload execution contexts currently rendering the origin of a particular response’s url.

The value component of this parameter is currently ignored, if present.

Implementation details are in §3.4.1 Neuter browsing contexts matching origin with subdomain state, as part of the larger §3.2 Clear data for response and §3.3 Clear data for storageRequestOptions algorithms.

When delivered with a response from https://example.com/clear, the following header will cause execution contexts displaying the origin https://example.com to be neutered and reloaded: 
Clear-Site-Data: executionContexts

2.1.5. The includeSubdomains parameter

The includeSubdomains parameter expands the scope of the storage type parameters to include any origin whose host is a subdomain of the response’s url's host.

Implementation details are included as part of the larger §3.2 Clear data for response and §3.3 Clear data for storageRequestOptions algorithms.

When delivered with a response from https://example.com/clear, the following header will cause caches associated with the origins https://example.com and https://anythingelse.example.com to be cleared: 
Clear-Site-Data: cache; includeSubdomains

2.1.6. The * parameter

The * parameter is syntactic sugar which includes all storage type parameters. That is:

Clear-Site-Data: *

has the same meaning as:

Clear-Site-Data: cache; cookies; storage; executionContexts

2.2. JavaScript API

This might live more cleanly in [STORAGE].

Megacorp, Inc. wants to remove data in response to a user’s activity on their site. They can execute the following JavaScript to clear all the relevant data for a user: 
navigator.storage.clear();

If they only wished to clear the otherwise inaccessible cache for the current origin and all subdomains:

navigator.storage.clear({
  types: [ "cache" ],
  includeSubdomains: true
});

enum StorageClearType {
  "cache",
  "cookies",
  "storage",
  "executionContexts"
};

dictionary StorageClearOptions {
  sequence<StorageClearType> types;
  boolean includeSubdomains = false;
};

partial interface StorageManager {
  Promise<void> clear(StorageClearOptions options);
};
clear(options)
Clears data based on the values in the options argument. Returns a Promise that resolves when clearing is complete. If no types are specified, all data types will be cleared.
Parameter Type Nullable Optional Description
options StorageClearOptions The data to clear.
Arguments for the StorageManager.clear(options) method.

2.3. Fetch Integration

Monkey patching! Talk with Anne.

If the Clear-Site-Data header is present in an HTTP response, then data MUST be cleared before rendering the response to the user. That is, before step #9 in the current main fetch algorithm, execute the following step:

  1. If response’s header list contains a header named Clear-Site-Data, then execute §3.2 Clear data for response on response.

Note: This happens after Set-Cookie headers are processed. If we clear cookies, we clear all of them. This is intentional, as removing only certain cookies might leave an application in an indeterminate and vulnerable state. Removing specific cookies is best done via expiration using the Set-Cookie header.

3. Algorithms

3.1. Parsing

3.1.1. Which data types ought to be removed for response?

  1. If response does not contain a Clear-Site-Data header, return an empty list.

  2. Let parameters be the list of parameter components in the value of response’s Clear-Site-Data header.

  3. If parameters contains a parameter whose key is *:

    1. Append cache, cookies, storage, and executionContexts to remove.

    2. Return remove.

  4. Otherwise, let remove be an empty list.

  5. For each parameter in parameters:

    1. If parameter’s key is cache, cookies, storage, or executionContexts, cache append parameter’s key to remove.

    2. Otherwise, ignore parameter.

  6. Return remove.

3.1.2. Should subdomains' data be cleared for response

  1. If response does not contain a Clear-Site-Data header, return Exclude Subdomains.

  2. Let parameters be the list of parameter components in the value of response’s Clear-Site-Data header.

  3. If parameters contains a parameter whose key is includeSubdomains, return Include Subdomains.

  4. Otherwise, return Exclude Subdomains.

3.1.3. Does origin match origin to clear and subdomain state

Given an origin, the origin to clear, and the "include subdomains" flag, return Matches or Does Not Match.

  1. If either origin or origin to clear are globally unique identifiers, return Does Not Match.

  2. If origin is the same as origin to clear, return Matches.

  3. If subdomain state is Exclude Subdomains, return Does Not Match.

  4. Let labels to clear be the host component of origin to clear split into labels, and labels be the host component of origin, split into labels.

  5. If labels does not have more entries than labels to clear, return Does Not Match.

  6. While labels to clear is not empty:

    1. If the final entry of labels to clear does not exactly match the final entry of labels, return Does Not Match.

    2. Remove the final entry of labels to clear, and of labels.

  7. Return Matches.

3.2. Clear data for response

Given a response (response), this algorithm parses the Clear-Site-Data header to determine what needs to be cleared, which origins are affected, and then executes those requests.

  1. If response’s URL is a priori insecure, skip the remaining steps of this algorithm.

    Some have suggested that this might not be a restriction we want (see Martin Thomson’s public-webappsec post on the topic, for example).

  2. Let types be the result of §3.1.1 Which data types ought to be removed for response? executed on response.

  3. Let subdomain state be the result of §3.1.2 Should subdomains' data be cleared for response executed on response.

  4. Execute §3.4 Clear types for origin with subdomain state on types, response’s url's origin, and subdomain state.

Note: Especially given the cross-context implications, user agents are are encouraged to give web developers some mechanism by which the clearing operation can be debugged. This might take the form of a console message or timeline entry indicating success.

3.3. Clear data for storageRequestOptions

Given a StorageClearOptions (options), this algorithm determines what needs to be cleared, returns a Promise, and executes the request asynchronously.

  1. If the incumbent settings object is not a secure context, return a Promise rejected with NotSupportedError.

  2. Let promise be a newly created Promise object.

  3. Return promise, and execute the remaining steps asynchronously.

  4. Let subdomain state be Include Subdomains if options' includeSubdomains property is true, and Exclude Subdomains otherwise.

  5. Let types be an empty list.

  6. If options' types is an empty sequence:

    1. Append cache, cookies, storage, and executionContexts to types.

  7. Otherwise, for each StorageClearType type in options' types property:

    1. Append type to types.

  8. Execute §3.4 Clear types for origin with subdomain state on types, the incumbent settings object’s origin, and subdomain state.

  9. Resolve promise with undefined.

3.4. Clear types for origin with subdomain state

  1. If types contains "executionContexts", execute §3.4.1 Neuter browsing contexts matching origin with subdomain state on origin, with subdomain state.

  2. If types contains "cookies", execute §3.4.4 Clear cookies for origin with subdomain state on origin, with subdomain state.

  3. If types contains "storage", execute §3.4.5 Clear DOM-accessible storage for origin with subdomain state on origin, with subdomain state.

  4. If types contains "cache", execute §3.4.3 Clear cache for origin with subdomain state on origin, with subdomain state.

  5. If types contains "executionContexts", execute §3.4.2 Reload browsing contexts matching origin with subdomain state on origin, with subdomain state.

3.4.1. Neuter browsing contexts matching origin with subdomain state

Given an origin (origin) and a subdomain state of either Include Subdomains or Exclude Subdomains, this algorithm walks through the set of browsing contexts which the user agent knows about, and sandboxes each in order to prevent them from recreating cleared data (from in-memory JavaScript variables, for instance). Once data is cleared, the affected browsing contexts will be hard-reloaded, as defined in §3.4.2 Reload browsing contexts matching origin with subdomain state:

  1. For each context in the user agent’s set of browsing contexts:

    1. Let document be context’s active document.

    2. While document is an iframe srcdoc document, let document be the active document of document’s browsing context container.

    3. If §3.1.3 Does origin match origin to clear and subdomain state returns Matches when executed on context’s origin, origin, and subdomain state:

      1. Parse a sandboxing directive using the empty string as the input, and document’s active sandboxing flag set as the output.

3.4.2. Reload browsing contexts matching origin with subdomain state

Given an origin (origin) and a subdomain state of either Include Subdomains or Exclude Subdomains, this algorithm walks through the set of browsing contexts which the user agent knows about and reloads each of them:

  1. For each context in the user agent’s set of browsing contexts:

    1. Let document be context’s active document.

    2. While document is an iframe srcdoc document, let document be the active document of document’s browsing context container.

    3. If §3.1.3 Does origin match origin to clear and subdomain state returns Matches when executed on context’s origin, origin, and subdomain state:

      1. Navigate context to document’s URL with replacement enabled and exceptions enabled. The source browsing context is context. This is a reload-triggered navigation.

3.4.3. Clear cache for origin with subdomain state

Given an origin (origin) and a subdomain state of either Include Subdomains or Exclude Subdomains, this algorithm removes data from the user agent’s local caches that matches the origin and subdomain state.

  1. Let host be origin’s host, canonicalized as per Section 5.1.2 of [RFC6265].

  2. If subdomain state is Include Subdomains, then let cache list be the set of entries from the network cache whose target URI’s host domain-matches host when canonicalized as per Section 5.1.2 of [RFC6265]

  3. Otherwise, subdomain state is Exclude Subdomains, so let cache list be the set of entries from the network cache whose target URI host is identical to host when canonicalized as per Section 5.1.2 or [RFC6265].

  4. Remove each entry in cache list from the network cache.

  5. If a user agent implements caches beyond a pure network cache, it MUST remove all entries from those caches which match origin and subdomain state.

    We’re dealing with the network cache here, as defined in [RFC7234], but that’s not nearly everything a user agent caches. How hand-wavey with the vendor-specific section can we be? For instance, Chrome clears out prerendered pages, script caches, WebGL shader caches, WebRTC bits and pieces, address bar suggestion caches, various networking bits that aren’t representations (HSTS/HPKP, SCDH, etc.). Perhaps [STORAGE] will make this clearer?

3.4.4. Clear cookies for origin with subdomain state

Given an origin (origin) and a subdomain state of either Include Subdomains or Exclude Subdomains, this algorithm removes cookies from the user agent’s cookie store whose domain attribute matches the origin and subdomain state.

Note: This algorithm assumes that the user agent has implemented a cookie store (as discussed in Section 5.3 of [RFC6265]), which offers the ability to retrieve a list of cookies by host, and to remove individual cookies.

  1. Let host be origin’s host, canonicalized as per Section 5.1.2 of [RFC6265].

  2. If subdomain state is Include Subdomains, then let cookie list be the set of cookies from the cookie store whose domain attribute is domain-matched by host.

    Note: The direction of the matching is important. If subdomain.example.com delivers the Clear-Site-Data header and includes subdomains, then cookies for .another.subdomain.example.com will be cleared, but cookies for .example.com will not.

  3. Otherwise, subdomain state is Exclude Subdomains, so let cookie list be the set of cookies from the cookie store whose domain attribute is identical to host.

  4. Remove each cookie in cookie list from the cookie store.

3.4.5. Clear DOM-accessible storage for origin with subdomain state

  1. For each area in the user agent’s set of local storage areas [HTML]:

    1. If §3.1.3 Does origin match origin to clear and subdomain state returns Matches when executed on area’s origin, origin, and subdomain state:

      1. Execute clear() on the Storage object associated with area.

  2. For each area in the user agent’s set of session storage areas [HTML]:

    1. If §3.1.3 Does origin match origin to clear and subdomain state returns Matches when executed on area’s origin, origin, and subdomain state:

      1. Execute clear() on the Storage object associated with area.

  3. For each database in the user agent’s set of Indexed Databases [INDEXEDDB]:

    1. If §3.1.3 Does origin match origin to clear and subdomain state returns Matches when executed on database’s origin, origin, and subdomain state:

      1. Set database’s delete pending flag to true.

      2. For each connection in the set of all IDBDatabase objects connected to database:

        1. Execute the database closing steps on connection.

      3. Execute the database deletion steps on database, passing in database’s origin and name.

  4. For each database in the user agent’s set of WebSQL databases [WEBDATABASE]:

    1. If §3.1.3 Does origin match origin to clear and subdomain state returns Matches when executed on database’s origin, origin, and subdomain state:

      1. Delete database.

        The [WEBDATABASE] spec is fairly unhelpful here with regard to deletion details.

  5. For each registration in the user agent’s set of registered service worker registrations:

    1. If §3.1.3 Does origin match origin to clear and subdomain state returns Matches when executed on registration’s scope URL’s origin, origin, and subdomain state:

      1. Execute unregister() on registration.

We still need to spell out Filesystems, Dedicated Workers, Shared Workers, etc. (This isn’t an exhaustive list. We should fix that too.)

How do we say something about plugins here? Point out to NPP_ClearSiteData?

4. Privacy Considerations

4.1. Web developers control the timing.

If triggered at appropriate times, Clear-Site-Data can increase a user’s privacy and security by clearing sensitive data from their user agent. However, note that the web developer (and not the user) is in control of when the clearing event is triggered. Even assuming a non-malicious site author, users can’t rely on data being cleared at any particular point, nor are users in control of what data types are cleared.

If a user wishes to ensure that site data is indeed cleared at some specific point, they ought to rely on the data-clearing functionality offered by their user agent.

At a bare minimum, user agents OUGHT TO (in the [RFC6919] sense of the words) offer the same functionality to users that they offer to web developers. Ideally, they will offer significantly more than we can offer at a platform level (clearing browsing history, for example).

4.2. Remnants of data on disk.

While Clear-Site-Data triggers a clearing event in a user’s agent, it is difficult to make promises about the state of a user’s disk after a clearing event takes place. In particular, note that it is up to the user agent to ensure that all traces of a site’s date is actually removed from disk, which can be a herculean task (consider virtual memory, as a good example of a larger issue).

In short, most user agents implement data clearing as "best effort", but can’t promise an exhaustive wipe.

If a user wishes to ensure that site data does not remain on disk, the best way to do so is to use a browsing mode that promises not to intentionally write data to disk (Chrome’s "Incognito", Internet Explorer’s "InPrivate", etc). These modes will do a better job of keeping data off disk, but are still subject to a number of limitations at the edges.

5. IANA Considerations

The permanent message header field registry should be updated with the following registration: [RFC3864]

5.1. Clear-Site-Data

Header field name
Clear-Site-Data
Applicable protocol
http
Status
standard
Author/Change controller
W3C
Specification document
This specification (See §2.1 The Clear-Site-Data HTTP Response Header Field)

6. Acknowledgements

Michal Zalewski proposed a variant of this concept, and Mark Knichel helped refine the details.

Conformance

Document conventions

Conformance requirements are expressed with a combination of descriptive assertions and RFC 2119 terminology. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in the normative parts of this document are to be interpreted as described in RFC 2119. However, for readability, these words do not appear in all uppercase letters in this specification.

All of the text of this specification is normative except sections explicitly marked as non-normative, examples, and notes. [RFC2119]

Examples in this specification are introduced with the words "for example" or are set apart from the normative text with class="example", like this:

This is an example of an informative example.

Informative notes begin with the word "Note" and are set apart from the normative text with class="note", like this:

Note, this is an informative note.

Conformant Algorithms

Requirements phrased in the imperative as part of algorithms (such as "strip any leading space characters" or "return false and abort these steps") are to be interpreted with the meaning of the key word ("must", "should", "may", etc) used in introducing the algorithm.

Conformance requirements phrased as algorithms or specific steps can be implemented in any manner, so long as the end result is equivalent. In particular, the algorithms defined in this specification are intended to be easy to understand and are not intended to be performant. Implementers are encouraged to optimize.

Conformance Classes

A conformant user agent must implement all the requirements listed in this specification that are applicable to user agents.

A conformant server must implement all the requirements listed in this specification that are applicable to servers.

Index

Terms defined by this specification

Terms defined by reference

References

Normative References

[FETCH]
Anne van Kesteren. Fetch. Living Standard. URL: https://fetch.spec.whatwg.org/
[HTML]
Ian Hickson. HTML Standard. Living Standard. URL: https://html.spec.whatwg.org/multipage/
[IndexedDB]
Nikunj Mehta; et al. Indexed Database API. 8 January 2015. REC. URL: http://www.w3.org/TR/IndexedDB/
[MIX]
Mike West. Mixed Content. LCWD. URL: https://w3c.github.io/webappsec/specs/mixedcontent/
[RFC3864]
Graham Klyne; Mark Nottingham; Jeffrey C. Mogul. Registration Procedures for Message Header Fields. RFC. URL: http://www.ietf.org/rfc/rfc3864.txt
[RFC6454]
Adam Barth. The Web Origin Concept. RFC. URL: http://www.ietf.org/rfc/rfc6454.txt
[RFC7230]
Roy T. Fielding; Julian F. Reschke. HTTP/1.1 Message Syntax and Routing. RFC. URL: http://www.ietf.org/rfc/rfc7230.txt
[STORAGE]
Anne van Kesteren. Storage Living Standard. LS. URL: https://storage.spec.whatwg.org/
[URL]
Anne van Kesteren. URL. Living Standard. URL: https://url.spec.whatwg.org/
[HTML5]
Ian Hickson; et al. HTML5. 28 October 2014. REC. URL: http://www.w3.org/TR/html5/
[RFC2119]
S. Bradner. Key words for use in RFCs to Indicate Requirement Levels. March 1997. Best Current Practice. URL: https://tools.ietf.org/html/rfc2119
[RFC5234]
D. Crocker, Ed.; P. Overell. Augmented BNF for Syntax Specifications: ABNF. January 2008. Internet Standard. URL: https://tools.ietf.org/html/rfc5234
[RFC5890]
J. Klensin. Internationalized Domain Names for Applications (IDNA): Definitions and Document Framework. August 2010. Proposed Standard. URL: https://tools.ietf.org/html/rfc5890
[RFC6265]
A. Barth. HTTP State Management Mechanism. April 2011. Proposed Standard. URL: https://tools.ietf.org/html/rfc6265
[RFC7234]
R. Fielding, Ed.; M. Nottingham, Ed.; J. Reschke, Ed.. Hypertext Transfer Protocol (HTTP/1.1): Caching. June 2014. Proposed Standard. URL: https://tools.ietf.org/html/rfc7234
[SERVICE-WORKERS]
Alex Russell; Jungkee Song; Jake Archibald. Service Workers. 25 June 2015. WD. URL: http://www.w3.org/TR/service-workers/
[WEBDATABASE]
Ian Hickson. Web SQL Database. 18 November 2010. NOTE. URL: http://www.w3.org/TR/webdatabase/

Informative References

[CSP2]
Mike West; Adam Barth; Dan Veditz. Content Security Policy Level 2. CR. URL: https://w3c.github.io/webappsec/specs/content-security-policy/
[RFC6919]
R. Barnes; S. Kent; E. Rescorla. Further Key Words for Use in RFCs to Indicate Requirement Levels. 1 April 2013. Experimental. URL: https://tools.ietf.org/html/rfc6919

IDL Index

enum StorageClearType {
  "cache",
  "cookies",
  "storage",
  "executionContexts"
};

dictionary StorageClearOptions {
  sequence<StorageClearType> types;
  boolean includeSubdomains = false;
};

partial interface StorageManager {
  Promise<void> clear(StorageClearOptions options);
};

Issues Index

This might live more cleanly in [STORAGE].
Monkey patching! Talk with Anne.
Some have suggested that this might not be a restriction we want (see Martin Thomson’s public-webappsec post on the topic, for example).
We’re dealing with the network cache here, as defined in [RFC7234], but that’s not nearly everything a user agent caches. How hand-wavey with the vendor-specific section can we be? For instance, Chrome clears out prerendered pages, script caches, WebGL shader caches, WebRTC bits and pieces, address bar suggestion caches, various networking bits that aren’t representations (HSTS/HPKP, SCDH, etc.). Perhaps [STORAGE] will make this clearer?
The [WEBDATABASE] spec is fairly unhelpful here with regard to deletion details.
We still need to spell out Filesystems, Dedicated Workers, Shared Workers, etc. (This isn’t an exhaustive list. We should fix that too.)
How do we say something about plugins here? Point out to NPP_ClearSiteData?