A polyfill for localStorage seems impossible to me, since we can’t fake a synchronous API without a second thread. If the localStorage API was asynchronous, it could be emulated with IndexedDB/WebSQL and that by itself would be a reason against its stand-alone existence.

LocalStorage’s (easy) synchronous nature and the fact that async programming in JS is no fun / PITA (compared to Go/C#5) makes it difficult to advocate against it at the moment. Harmony doesn’t even have anything async-related on the roadmap, leaving us with StreamlineJS, TameJS, IcedCoffeeScript, and Dart (with an experimental `async` keyword).

1. Burak Yiğit Kaya

   Harmony actually comes with a yield keyword similar to Python which can be used to ease the pain of async programming via libraries like TaskJS if I understood your concern correctly.

   March 5th, 2012 at 06:42

I’m still on the fence as to whether we really need to kill off localoStorage, mostly because IndexedDB hasn’t landed without vendor prefix yet, debugging tools are MIA and it’s hard for devs (accessibility of API design is going to be a factor of success – but agree that a polyfill on top of localStorage pointing to IndexedDB might be an elegant solution).

Anyway, one thing I wanted to clarify (or ask your opinion too) is you’re advocating *against* localStorage, but what about sessionStorage? Due to the way the data persists, it doesn’t lend itself well to storing a ton of data in there, so devs are much more likely to use it for tiny snippets of data. Sure that blocks still – which is why I’d like to get clarification on whether you’re advocating “stop using localStorage” or “stop using WebStorage”.

Hey guys,

There is one thing I do not understand. I am no localStorage guru, but why does the browser load any data while loading the page?
I suppose a possible answer would be that the localStorage engine is initiated during page load. If that is the case, why cannot it be done after page load?
Many other things make the document render slow if done at a bad time.

I am very curious about the answer.

Cheers,
edi

1. Marcel Jackwerth

   localStorage has a synchronous API. If the data isn’t loaded upfront, then any get-value call could block the whole UI thread for a few milliseconds (or even seconds). So actually this is a work-around of browser-vendors to compensate the short-comings of the localStorage API (discussed in “The main issue: terrible performance” of this blog post).

   March 5th, 2012 at 04:47
   1. Moldován Eduárd

      Well, this workaoround is then not actually a workaround. In my point of view, when I load a page and it hangs for seconds, I go away and never come back. If I am working, doing something, on the page, then it hangs for a while, telling me that it is loading something, I accept that, because I asked it to do something for me.
      This might be a very simplified point of view, but might work. What do you think of it?

      March 5th, 2012 at 06:01

To put things in perspective, without localStorage, the alternative has been to load data off the server over the network. Undoubtedly, that’s orders of magnitude slower. We have eliminated that performance overhead by going to disk instead of the network.

Also, the optimization mentioned where browsers keep stuff in memory should speed up seek times by orders of magnitude again. The concern of this hogging up memory is a real concern too, but this is obviously capped to a 5mb max. Granted it’ll consume a little more than 5mb when in memory, but it won’t be disproportionately much more.

So, performance is not that big a deal (disk vs. network, memory vs. disk, memory vs. network), and the sync API isn’t a big deal either (loading from memory anyway). So the only real problem is that there’s a 5mb limit.

Or am I missing something?

1. Jonas Sicking

   FileWriter has even less cross-browser support than IDB. Currently it’s *only* implemented in Chrome. At last TPAC, all other browser vendors said that they had no plans to implement it.

   March 5th, 2012 at 11:33
   1. Jonas Sicking

      Hmm.. not sure how that happened, the previous response was intended for another comment.

      Anyhow.

      Going to the network is indeed almost always slower than going to disk.

      The problem is the synchronous API. It’s not true that it’s always loading from memory. We couldn’t afford to load all localStorage data into memory since it can be a lot. Instead what we do is that we try to anticipate when a website will use localStorage and at that point load the data into memory.

      But anticipating isn’t foolproof. And sometimes a request to get data from localStorage happens before we’ve managed to load the data into memory. Since the API is synchronous, that means that the page is blocked until we’ve loaded the data.

      So while going to the network is slower, it doesn’t result in the page getting blocked (unless you’re using sync XHR, which you shouldn’t do for the same reasons).

      I’m of course not arguing that storing data on the server is always better than using localStorage. But I wanted to answer some of the questions you raised in your comment.

      March 5th, 2012 at 11:47
      1. Sean Hogan

         So if a site uses LocalStorage to save settings (basically a replacement for cookies) and NOT to save files then performance shouldn’t be an issue?

         March 5th, 2012 at 15:10
         1. Jonas Sicking

            It means that we’ll have to load less data, which certainly will make the first access faster. But it still requires a synchronous load, which means that if the disk is busy doing something else, we’ll have to wait for the disk to finish what it’s doing before the page gets unblocked.

            March 6th, 2012 at 01:58

      2. Rakesh Pai

         Thanks for the reply, Jonas.

         The technique of anticipating if a site will need localStorage seems like a good idea. The race condition between when the browser decides whether the page needs localStorage (again, a local lookup or something) and then loading the data into memory, vs the site starting to use it (usually involving going over the network to load scripts), shouldn’t causse too much of a performance problem, I guess. I might be wrong, of course, but it does seem like there’s room for improvement.

         There might be ideas to pick up from in-memory databases that lazily persist to disk, like say MongoDB.

         I guess what I’m trying to say is that the API right now is beautiful, and is very easy to use. If the browser can do the heavy-lifting to ensure that the API works fast enough at least in most circumstances, we’re doing pretty well, isn’t it?

         March 5th, 2012 at 20:17
         1. Jonas Sicking

            I don’t personally have numbers, but do you really want an API which only works “in most circumstances”?

            I think most users want something that works reliably, so ultimately that’s what I hope developers want too.

            March 6th, 2012 at 02:05

I’m also concerned about security, because every pages on the same origin (ie: scheme/hostname/port) can use the same data in localStorage.

Maybe that’s less relevant now, when quite everyone have its own domain name, but I think it’s still an issue in some shared web hosting services.

1. Jonas Sicking

   All pages that are on the same origin can always read each other’s data. If you open an to another page that’s in the same origin, you can reach in to it and access any part of the DOM or the JS objects that it has created.

   Effectively the security model of the web is that each origin is its own security domain. It’s unfortunately too late to try to create anything more fine grained than that.

   March 6th, 2012 at 02:08
   1. Jonas Sicking

      Oops, that should say:

      If you open an *iframe* to another page…

      March 6th, 2012 at 03:47

   2. JulienW

      Actually, the “security model of the web” as you call it is not so ubiquitous.

      There is actually a very known exception: cookies. The security model of cookies consist of both domain (which can be any parent domain of the domain of the webpage, btw) and a path. I’m really wondering why this wasn’t used for other security model.

      Maybe it’s too late; then it must be known so that applications stay safe.

      March 15th, 2012 at 03:04

2. Nealle

   Security is a concern for me too, I work for a large FI and we are writing guidelines for developers to use as they begin developing in HTML5, with a particular focus on mobile and right now inspite of all the issues mentioned we will simply ban offline storage as we cannot encrypt the content to a level that would make us feel comfortable that the data is secure in case of device theft or loss.

   March 14th, 2012 at 14:00

I completely agree to Jens. Localstorage was a god-send, when there were times we had to battle cookies.
The main advantage is, it’s here TODAY and it WORKS on all modern browsers (mobile or not).
For people who focus on the mobile user (and they’re getting more and more), it is the only safe storage option out there. Everything else is limited.
I abandoned Firefox quite a bit in recent times due to the fact, that there’s a webkit on most mobile machines, supporting common APIs as on the desktop.
From a developer’s pov, it is inevitable that we stop the dictate of single browser vendors (first IE, then MOZ, now Webkit) to kill common and useable APIs.
This would make the web more useable for all of us!

The problem IMO is that the browser disk cache doesn’t deliver the necessary performance and features. Studies show that normal users have less cache “hits” than we would expect. Purging algorithms are under-developed (eg, prioritization based on content-type). There’s no guarantee of space per website. And no API.

It’s been 2 years since I asked browsers to focus on disk cache ( http://www.stevesouders.com/blog/2010/04/26/call-to-improve-browser-caching/ ). At that time I warned that localStorage was being misused as a disk cache alternative (FB was already doing this). We’ve had some good improvements in disk cache – mostly in size – but we’re far short of where we should be. The horse has left the barn. Trying to fix the problem by evangelizing a move away from localStorage will not be successful.

LocalStorage is here to stay. The best solution is for browser vendors to address the issues. (Sorry – I know that means more work for you. I wish we had fixed disk cache before this got away from us!) What should browsers do?

1. add callback functionality – The leading gurus will use this wisely, but we must realize a majority of sites won’t adopt this new pattern for years.

2. better UI – It’s difficult for users to figure out how to see, edit, clear, & limit their localStorage. A better UI is needed.

3. LRU purging – If localStorage becomes widely used then 5MB per site may claim a large amount of user disk space. Browsers should add most-recently-used info to localStorage so the bytes for unused sites can be reclaimed.

4. preloading – Using this LRU data browsers can more intelligently determine whether to read strings from localStorage in to memory as soon as the website URL is requested (in anticipation of that HTML document response call getItem). This allows various memory use optimizations, eg, if a key hasn’t been accessed in a long time it shouldn’t be preloaded.

I’m sure there are other improvements browser teams can think of, and perhaps have already implemented. My main point is, the best way out of this is for the browser teams (once again) to step up to the plate so that web devs can focus on their app and not on the performance of features that have already been added to browsers.

1. Taras Glek

   Steve, we have started addressing cache issues:
   * Firefox cache can now reach 1gb(which turns out to be too much on some machines).

   * A lot more work remains to be done. Some fundamental assumptions changed since browser cache was first introduced (ie harddrives are no longer strictly faster than network) and size of items cached has grown rapidly.

   * Stuff like html5 video requires cache to cache items to be sparsely stored(ie when you seek around in a video while it’s downloading).

   I think there is a lot of room for optimization in the browser cache…and given that a lot of use-cases for Local Storage seem to be to avoid dealing with browser cache, perhaps providing better cache-control from the browser will solve some LS woes.

   March 5th, 2012 at 12:12
   1. Larry Garfield

      Improved browser caching would be very much appreciated, so that we don’t have to try and come up with crazy crazy ideas like this: http://www.garfieldtech.com/blog/caching-tng

      :-)

      March 5th, 2012 at 12:19
      1. Taras Glek

         Larry,
         That’s awesome. I tried to summarize LS->Cache thoughts in
         http://groups.google.com/group/mozilla.dev.tech.network/browse_thread/thread/4acf1c6e5b071193#

         I noticed that most LS usage is to bypass the cache…So it makes some sense to just make the cache more useful rather than design a whole new subsystem. Thanks for planting the idea!

         March 5th, 2012 at 13:20

Now that I’ve ranted quite a bit about WebSQL, let me step back and say, sorry if I’ve been harsh, the world of web technology is steadily moving away from the vision I had of it, but that’s my issue not Mozilla’s. As my disillusionment grows, I will probably switch to doing more native programming and be better off for it.

But here’s the essential problem with HTML-application storage, users need full control of their storage options (with minimal hassle in managing it), while applications depend on persistent storage being, well, persistent. This is going to be a complicating factor to any storage API and needs to be solved sensibly first (even if we’re talking just for cookie storage).

If I were a spec-ing man, and I’m not, I might write up a spec that incorporated an API for saving web-data. That is, the site could trigger a prompt (do you wish to save your data from this session?) Moreover, when you clear your cookies (which should clear all persistent data, since users are only used to cookies as a form of persistent data and shouldn’t overlook something they meant to clear), perhaps users could get a prompt (with an option never to show again), “You have X many web applications with saved information in your browser do you want to delete this” -> the user should also then get a trigger for a per-application editing of which to save and which to discard.

In addition to all that, the user should any point have the option to “export” their data for a particular web application and re-load it in another application. This is a point where most storage methods fall short and while some sync services provide sync-ing of say cookie data,

A. they usually don’t provide full-syncing of non-cookie storage
B. if they do it’s usually browser-specific
C. I, at least, like to have a file for my exports, especially since I like to mess around with said files.

What would be really nice, and I realize browser vendors may not care about this, given that they are trying to kill plugins (without providing similar or near similar functionality in extensions, this is one aspect where Mozilla shines), but it would be nice if an API was presented to plugins to utilize this for their data storage (what would be really cool if you could trigger an option to only use plugins that use the API for persistent data storage (ie, they could still save to %TEMP% for cache data, or to this API, but not to the underlying filesystem), that may not work for all plugins, so I would really like it as a switch presented to users (in the options menu, all options should be accessible somehow through the options menu about:config))).

1. John Thomas

   Realize I’m reposting quite a bit (and my lunch hour is pretty much over, so I am officially slacking), but what if you could simply have a store webpage state option. This doesn’t exactly solve the whole user needs for erasable storage vs. persistent storage needs dilemma, but even with a full API for a js database, either websql or indexdb, developers are going to end up storing a lot of data in the DOM as attributes and hidden elements. If they want to make that data persistent, they would need to pull it out and serialize it even if there was a full-functioning persistent storage API (and nowadays most developers serialize the data and post it to the server where it exists as session data).

   But what if they could just save the current state of the web page in the browser, and then the site can ask to say, resume named session (there could be an input type session for example).

   This isn’t exactly a replacement for a persistent storage api (after all you may have a massive page and just a little persistent data), but it would be cool at least.

   March 6th, 2012 at 12:05

Android, iOS, Symbian have SQLite and app developers are happy. SQL is too complex? But JavaScript and CSS positioning aren’t?

Sure, continue search for your own WinFS.

1. Robert Nyman

   I believe the cons of WebSQL are covered in comments above, in terms of specific version and other issues.

   March 7th, 2012 at 01:31
   1. Pete

      I still try to find out why the Mozilla guys are so against WebSQL without any rational arguments.

      It is also stated above that currently WebSQL is covered by almost all mobile devices and all are happy.

      March 7th, 2012 at 02:04
      1. Jonas Sicking

         There are many reasons we didn’t like WebSQL.

         1. No two SQL engines implement the same dialect of SQL. Your most basic “Select * from table” query will work everywhere, but things quickly start behaving somewhat differently. So unless all browsers agree to use the same SQL engine backend (and agree to do so for the rest of time, even if other faster database engines are created), you’ll have different browsers doing different things. That’s no good on the web.

         2. There are often small differences in the SQL dialect that different versions of the *same* SQL engine. As most server developers know, you often need to make small changes in your queries when upgrading your SQL engine to a new major release. That’s fine on the server where you are in control of when the SQL engine is updated. It’s not fine on the web where you don’t know when users are going to update their browsers and when different users have different versions of browsers. And browsers will be forced to upgrade their SQL engines since old versions stop being supported and have known security issues. Also we want to be able to use the latest version for performance reasons.

         3. Even for SQL queries where SQL engines give the same result, the performance can be vastly different. If a SQL engine doesn’t realize it should use a particular index it could easily be 1000 times slower even for moderate data set sizes. Would you really be ok with some function in your site running 1000 slower in a particular browser? This is not a big problem in a server environment where you can test your query against the SQL engine you’re planning on using, but it’s not ok on the web where we want APIs to work consistently across browsers.

         4. Performance in SQL is notoriously hard. Missing an index can be the difference between having your query hang on execute in a fraction of a second. One of the things that make performance hard is that you’re not actually expressing what you want the SQL engine to do. You express some constraints on the result that you want and hope that the engine is smart enough to use an entirely different execution strategy which is actually fast. Any SQL developer that has had to deal with complex performance critical queries have sat tweaking their queries between different expressions that actually mean the same thing, until the SQL engine suddenly “gets it” and uses the index that you want. Another problem is that if you have bad performance, the problem might not be the part of the code where performance is slow, but rather where you constructed your table as to have the wrong order of columns, or the wrong set of indexes.

         5. SQL isn’t particularly “Webby”. I.e. you can’t store your JSON objects directly. Instead you have to manually pick your data apart and stick it into columns. Sure, you can use JSON.stringify, but then you can’t index on any of the data in your object.

         6. SQL-injection attacks. They happen *everywhere* where people use SQL in combination with untrusted data. Even when there are API features to help you avoid it. Concatenating strings is just so darn easy that people constantly fall into that trap.

         March 7th, 2012 at 20:12
         1. greg

            1. Just use SQLite. “So unless all browsers agree to use the same SQL engine backend” – So the problem is political. There are also small differences in HTML/CSS implementations. So being consistent you should stop supporting these specifications also.

            2. Thank God you don’t work in IE team and we don’t have to live with IE6 bugs for the rest of time. BTW SQLite is small enough so it is possible to keep few versions inside one browser.

            3. Is this some kind of joke? Millions of developers already test web apps in IE, FF, Chrome and Safari.

            4. Just wow! Remove loops and arrays from JavaScript. Do you know how hard is to sort numbers in O(n) time? Just add too many numbers to an array, sort them with bubble sort and your browser is frozen!

            5. And with localStorage it is possible to index objects by fields?

            6. Nice try. On the client side you don’t have to worry about SQL injections at all. Clue: you have to validate all data once again on the server side.

            March 8th, 2012 at 12:26

Comepletely agree. LocalStorage is dodgy. I developed a game for webOS on the Palm Pre a while back and initially used LocalStorage for level saves. I used to to get loads of user complaints. I switched to websql and no problems ever again. Async guarantees that js will not run off by itself without your data. Sync does not guarantee this and hence the user complaints.

“The main issue: terrible performance”

If this is the main issue then write better code and fix it. Yes, it really is that simple.

If the browser is loading all localStorage into cache when first visiting a web site then stop it. Any wonder you think it is slow. A single host may have many separate web applications which use localStorage so you should not be loading everything into memory at once. This is just common sense. Let the developers determine the best time to load any data, and also deal with their own caching. This is what we are doing as we can not guarantee that every browser is going to cache localStorage at all. So for those browsers that are caching the data it is just a waste of memory – again stop doing it.

Bottom line – there is nothing wrong with the localStorage API only how it is being implemented.

Why not just add getItemAsync to localStorage, and an optional callback to setItem?

localStorage.getItemAsync(key, callback);
localStorage.setItem(key, data, optional_complete_callback);

setItem returns and has immediate effect, but the data is persistently on disk only when optional_complete_callback is called.

On the other hand, getItemAsync returns nothing, but passes the data to callback.

Did I guess well? The source of evil in localStorage is use of array operator? If so, can you flag it as deprecated? I haven’t found any word about it in Web Storage specification…

Nothing in the methods getitem / setItem does not require loading the entire database into memory …

You can also add optional callback argument to getItem.

The second issue is WebSql. Killing it does not help. The argument about incomplete implementations is highly ineffective, especially in a world where there is no consensus to the html / css / javascript between browsers.

Worse. This is a very shortsighted approach. Currently Javascript is not just a browser, the server developers have no choice – try to use something else than SQL and you may end killed by laughter.

I do not see the reason why Mozilla encounters many problems with SQLite. The same engine works in other browsers, mobile phones and many other devices.

I’m using applicationCache + indexedDB to build off-line applications. IndexedDB makes it possible to store user input while off-line. That is great, but I’m concerned of how much persistent this data is. I’ve found that, in Chrome, the persistent storage “is available only to apps that use the Files System API”[1]. What is the policy used by Firefox? I can’t find any docs on this.

[1]: https://developers.google.com/chrome/whitepapers/storage

1. Taras Glek

   We have an indexeddb prompt, once user accepts the prompt, data persists forever.
   We plan to add chrome-like promptless operation that autocleans the data, but we will still allow a prompt to persist data.

   June 20th, 2012 at 11:37
   1. Marcello Nuccio

      Looks great: default behaviour is automatic clean-up, but the user can choose to make data persistent. Chrome’s policy makes IndexedDB pointless for off-line use: how can I use it to store data if I don’t have any control on how much persistent it is?

      The sad thing is that, it will be difficult to support both browsers, because I will need to use File System API on Chrome, and IndexedDB on Firefox…

      June 20th, 2012 at 23:23
      1. JulienW

         I think you misunderstood something.

         Chrome supports both IndexedDB and their Filesystem API but the paper you referenced only talks about the Filesystem API.

         So you can use IndexedDB in Chrome as well.

         If you want to support Safari, Opera, and mobile browsers as well, you may use the shim there : http://nparashuram.com/IndexedDBShim/

         June 21st, 2012 at 00:08
         1. Todd Blanchard

            The shim (and IndexedDB for that matter) doesn’t provide any support for joining data.

            I need JOINS. This isn’t kid stuff – we have grownup data requirements needing complex views of our data. A key/value store isn’t going to cut it.

            November 9th, 2012 at 10:56

Has anything about this article changed in the last 6 months? I see articles like this http://www.netmagazine.com/tutorials/make-disaster-proof-html5-forms and it makes me interested to use it for future projects with forms.

1. Robert Nyman

   I would say that the pros and cons still stand.

   September 14th, 2012 at 02:01