This page was moved from the old wiki and is in the process of being revised.
As the reference client, maintained by the RS core team, it always supports the latest protocol versions (but is reasonably backwards-compatible as well).
Apps should always be hosted under their own domain or subdomain, as opposed to hosting several apps in subdirectory URLs of a common domain. This is due to the Web’s per-origin security model, where things like Web storage, permissions, etc. are scoped by origin, i.e. by “domain/host:port”.
Apps should always be available via HTTPS. HTTP should redirect to the same URI on HTTPS.
Due to there being no client registration for OAuth apps on the Open Web, most remoteStorage servers currently require the
client_id parameter to be the same base URL as the
remoteStorage.js supports Private/Incognito browsing mode in modern browsers. However, depending on browser support it cannot use all or any local Web Storage backends.
IndexedDB and localStorage are stubbed but not functional in Private windows (in version 9.1). RS.js stores all data in memory, so it is lost when connecting a remote storage (except for the WebFinger discovery data, which is transported via the OAuth
Caveat: do not get fooled by Safari’s Web Inspector. It displays the localStorage content for the origin, but not IndexedDB.