Expose API to clear offline persistence (in IndexedDB).

Question

Accepted Answer

I repeat this advice in every discussion related to this but I want to be clear: if you’re at all sensitive to the disclosure of cached information within the same operating system user account: _do not enable persistence_.

The Firestore client that exists today assumes that operating system user == actual user. Protecting within that boundary is a hard problem that we have not attempted to solve I repeat this advice in every discussion related to this but I want to be clear: if you’re at all sensitive to the disclosure of cached information within the same operating system user account: _do not enable persistence_. The Firestore client that exists today assumes that operating system user == actual user. Protecting within that boundary is a hard problem that we have not attempted to solve. We don’t believe clearing IndexedDB on sign-out is sufficient to implement this: it’s trivially defeated by a user forgetting to do it, the browser crashing, or an attacker installing a browser extension to read the contents of the database while another user is signed in. Clearing IndexedDB is still useful, especially for testing, and we are hoping to add this feature (PRs welcome, of course).

Expose API to clear offline persistence (in IndexedDB).

Problem

1 Fix

Solution: Expose API to clear offline persistence (in IndexedDB).

I repeat this advice in every discussion related to this but I want to be clear:

The Firestore client that exists today assumes that operating system user == act

We don’t believe clearing IndexedDB on sign-out is sufficient to implement this:

Clearing IndexedDB is still useful, especially for testing, and we are hoping to

Validation

Verification Summary

Environment

Submitted by

Tags