Web Database
-W3C Working Draft 10 September 2009
+Web SQL Database
-- This Version: -
- http://www.w3.org/TR/2009/WD-webdatabase-20090910/ -
- Latest Published Version: +
- Latest Published Version:
- http://www.w3.org/TR/webdatabase/
- Latest Editor's Draft:
- http://dev.w3.org/html5/webdatabase/ -
- Previous Versions: -
- http://www.w3.org/TR/2009/WD-webdatabase-20090423/
- :ZZZ -->
+
- http://www.w3.org/TR/2009/WD-webstorage-20090423/ +
- http://www.w3.org/TR/2009/WD-webdatabase-20091029/
+ - http://www.w3.org/TR/2009/WD-webstorage-20090423/ +
- Editors:
- Ian Hickson, Google, Inc.
Editor's Draft 13 January 2010
+Copyright @@ -191,7 +196,7 @@ and document use rules apply.
Abstract
This specification defines an API for storing data in databases - that can be queried using a variant of SQL.
Status of this document
This section describes the status of this document at the
+ that can be queried using a variant of SQL. This section describes the status of this document at the
time of its publication. Other documents may supersede this
document. A list of current W3C publications and the most recently
formally published revision of this technical report can be found in
@@ -215,7 +220,16 @@
under them in incompatible ways. Vendors interested in
implementing this specification before it eventually reaches the
Candidate Recommendation stage should join the aforementioned
- mailing lists and take part in the discussions. The latest stable version of the editor's draft of this
+ mailing lists and take part in the discussions. This specification has reached an impasse: all
+ interested implementors have used the same SQL backend (Sqlite), but
+ we need multiple independent implementations to proceed along a
+ standardisation path. Until another implementor is interested in
+ implementing this spec, the description of the SQL dialect has been
+ left as simply a reference to Sqlite, which isn't acceptable for a
+ standard. Should you be an implementor interested in implementing an
+ independent SQL backend, please contact the editor so that he can
+ write a specification for the dialect, thus allowing this
+ specification to move forward. The latest stable version of the editor's draft of this
specification is always available on the W3C CVS
server. Change tracking for this document is available at the
following location: The W3C Web Apps
Working Group is the W3C working group responsible for this
specification's progress along the W3C Recommendation track.
- This specification is the 10 September 2009 First Public Working Draft.
+ This specification is the 13 January 2010 Editor's Draft.
This document was produced by a group operating under the 5
February 2004 W3C Patent Policy. W3C maintains a public list of
any patent disclosures made in connection with the deliverables
@@ -240,7 +254,7 @@
patent. An individual who has actual knowledge of a patent which the
individual believes contains Essential
Claim(s) must disclose the information in accordance with section
- 6 of the W3C Patent Policy. If origin is not a scheme/host/port
+ tuple, then throw a If the database version provided is not the empty string,
and there is already a database with the given name from the origin
origin, but the database has a different
@@ -513,22 +531,22 @@ interface Dat
instead of the user agent prompting the user for permission to
increase the quota every five megabytes. When the user agent is to preprocess a SQL statement sqlStatement with an array of arguments arguments, it must run the following steps: Parse sqlStatement as a SQL statement,
- with the exception that U+003F QUESTION MARK (?) characters can be
+ with the exception that U+003F QUESTION MARK characters (?) can be
used in place of SQL literals in the statement. [SQL] Replace each Substitutions for Bind each Binding the The result is the statement. Implementors are encouraged to implement
- For the asynchronous API, implementors are
+ encouraged to prefetch all the data for
+ Fetching the Need to define the SQL dialect. User agents should limit the total amount of space allowed for
+ User agents must implement the SQL dialect supported by Sqlite 3.6.19. When converting bound arguments to SQL data types, the JavaScript
+ ToPrimitive abstract operation must be applied to obtain the raw
+ value to be processed. [ECMA262]. User agents should limit the total amount of space allowed for
databases.
User agents should guard against sites storing data under the
@@ -1084,7 +1108,8 @@ interface S
future. A third-party advertiser (or any entity capable of getting
content distributed to multiple sites) could use a unique identifier
stored in its
- client-side database
+ client-side databases
+
to track a user across multiple sessions, building a profile of the
user's interests to allow for highly targeted advertising. In
@@ -1099,6 +1124,7 @@ interface S
User agents may restrict access to
the database objects
+
to scripts originating at the domain of the top-level document of
the browsing context, for instance denying access to
the API for pages from other domains running in
@@ -1109,8 +1135,8 @@ interface S
User agents may automatically delete stored data after a period
- of time. User agents may, if so configured by the user, automatically
+ delete stored data after a period of time. This can restrict the ability of a site to track a user, as the
@@ -1118,10 +1144,11 @@ interface S
sessions when he authenticates with the site itself (e.g. by
making a purchase or logging in to a service). However, this also puts the user's data at risk. However, this also reduces the usefulness of the API as a
+ long-term storage mechanism. It can also put the user's data at
+ risk, if the user does not fully understand the implications of
+ data expiration. If users attempt to protect their privacy by clearing cookies
without also clearing data stored in the
-
- database
+ relevant databases,
-
- feature, sites can defeat those attempts by using the two features
- as redundant backup for each other. User agents should present the
+ sites can defeat those attempts by using the two features as
+ redundant backup for each other. User agents should present the
interfaces for clearing these in a way that helps users to
understand this possibility and enables them to delete data in all
persistent storage features simultaneously. [COOKIES] User agents may require the user to authorize access to
databases before a site can use the feature. Authors are strongly recommended to make use of the All references are normative unless marked "Non-normative". All references are normative unless marked "Non-normative".Status of This document
Table of contents
+ 6 of the W3C Patent Policy.Table of Contents
SECURITY_ERR exception and abort
+ these steps.4.2 Parsing and processing SQL statements
? placeholder with the value
- of the argument in the arguments array with
- the same position. (So the first ?
- placeholder gets replaced by the first value in the arguments array, and generally the nth ? placeholder gets
- replaced by the nth value in the arguments array.)?
- placeholders are done at the literal level, not as string
- concatenations, so this provides a way to dynamically insert
- parameters into a statement without risk of a SQL injection
- attack.? placeholder with the value of
+ the argument in the arguments array with the
+ same position. (So the first ? placeholder
+ gets bound to the first value in the arguments
+ array, and generally the nth ? placeholder gets bound to the nth value in the arguments
+ array.)? placeholders
+ is done at the literal level, not as string concatenations, so
+ this provides a way to dynamically insert parameters into a
+ statement without risk of a SQL injection attack.interface SQLResultSetRowList {
readonly attribute unsigned long length;
getter any item(in unsigned long index);
-};SQLResultSetRowList objects lazily, or at least
- asynchronously, for better performance.SQLResultSetRowList objects have a length
+};SQLResultSetRowList objects when the object is
+ constructed (before the result set callback is invoked), rather than
+ on-demand, for better responsiveness. For the synchronous API, an
+ on-demand lazy evaluation implementation strategy is encouraged
+ instead, for better performance.SQLResultSetRowList objects have a length
attribute that must return the number of rows it represents (the
number of rows returned by the database). This is the length.length might be
expensive, and authors are thus encouraged to avoid using it (or
@@ -1068,7 +1090,9 @@ interface S
A lock for the transaction could not be obtained in a
reasonable time.
- 5 Web SQL
6 Disk space
5 Web SQL
6 Disk space
7 Privacy
7.1 User tracking
8.5 SQL injection
? placeholder feature of the executeSql() method,
- and to never construct SQL statements on the fly.References
References
+