Storage sandbox per app origin


Continued from

Proposal 1:

  • get rid of modules, and of scopes (other maybe than readonly/readwrite). Each app gets just their own sandbox.

Proposal 2:

  • get rid of modules, and let scope default to the app’s own sandbox origin, but still allow apps to request access to another app’s origin/storage sandbox.

So instead of requesting access to the ‘shared’ module, my app would request access to the ‘’ sandbox, and it would amount to the same thing, except that each app is the “boss” over the module it defines.


I’m strongly against both, because I want my apps to share data by design, not as “use data created by other app” add-on option. That would mean an app is always considered authoritative of data, which is the opposite idea of RS in its current state. I personally want the storage/user to be the authority, not app authors or their products.

In the current state any app can always use its own category already, and many apps do.


Sandboxing can be done transparently while still adhering to the spec. Server can internally create a new storage for each app, so it doesn’t matter which scope the app requests. It could be activated/deactivated in the oauth prompt. Which variant is best, and if it’s even a good idea should be figured out by implementors.

Perhaps add a note that the server MAY do all of this.