Closed Bug 1198772 Opened 10 years ago Closed 1 year ago

sessionStorage is not cleared when closing the tab

Categories

(Firefox :: Session Restore, defect)

Product:
Firefox
Component:
Session Restore
Version:
40 Branch
Platform:
x86_64
Windows 7
Type:
defect

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: guy111, Unassigned)

Details

(Whiteboard: [wontfix?])

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36 Steps to reproduce: Reproduction steps: 1. Put something in the session storage sessionStorage.setItem('foo', 'bar'); 2. Close the tab 3. Right-click on any tab and select "Reopen closed tab" 4. sessionStorage.foo will be available Expected result - sessionStorage should be empty. Browser/OS: Chrome for Windows / Mac More info: http://blog.guya.net/2015/08/25/the-never-ending-browser-sessions/ I know this is probably minor, but still it's a bad behavior. Actual results: sessionStorage is revived Expected results: sessionStorage should have been cleared
Severity: normal → minor
OS: Unspecified → Windows 7
Hardware: Unspecified → x86_64
This is working as designed (e.g. bug 726455 about this not working in a particular situation is considered a valid bug). In general, Session restore (which Undo close tab is a part of) tries to balance the user privacy with the ability to restore pages exactly as the user left them. There's bug 345345 about restoring session information at startup, but nothing I could find about Undo close tab. I don't think the change suggested in comment 0 will be implemented, but since I couldn't find if this was discussed previously, a comment from the owner of the module would be appreciated.
Component: Untriaged → Session Restore
Whiteboard: [wontfix?]
Severity: minor → S4

SUMMARY
Hi Nickolay. Thank you so much for taking an interest in this bug report. Based on my testing, I have proved beyond all doubt that:

  1. Firefox persists sessionStorage data during closure of the web browser;
  2. Firefox persists sessionStorage datand during machine restart;
  3. Chrome and Edge do not do behave in this way.
    The above is easily testable by populating the window.sessionStorage object with some data, closing and reopening Firefox (or restarting the machine and re-opening Firefox), doing 'Re-open closed tab', going to the console and inspecting the window.sessionStorage object.

I don't know what the ECMA script spec (ECMA-262) says about the persistence of sessionStorage data, but Firefox is here going against the general perception among web developers and imo Firefox's behaviour here is a serious and global problem from the perspective of data protection regulation and security.

DATA PROTECTION
It is very widely (ubiquitously in my experience) reported in online articles that sessionStorage data does not persist data during closure of a browser tab and certainly not during closure of the whole browser or during restarting of the machine. I would therefore suggest that a very large number of web developers, working on this understanding, are misleading their users within their privacy/GDPR policies. The persistency of data that a website/webapp collects and saves on the user's machine (generally known as a cookie or cookie-like technology) is clearly an important thing for a user to consider when deciding whether to accept a type of cookie and therefore an important thing for website owners to get right when they write their privacy/GDPR webpages.

SECURITY
Disclosure: I am not a data security expert. Nonetheless, I believe - and I think it is common sense - that all cookies (including session cookies) increase what is known as the 'attack surface' of the website/webapp code, which increases the potential for vulnerabilites and the number of resulting attack vectors. Therefore, the fact that, in the case of Firefox, website users are being mislead (by erroneous privacy/GDPR policies - see above) regarding the persistency of session cookies is hindering these users' ability to make informed decisions about the safety of the cookies they are asked to accept.

CONCLUSION
I believe that if this is not resolved by Firefox, this is something that should be escalated to law makers and other authorities as the impact on data protection and security is severe and widespread.

Flags: needinfo?(sfoster)

It is very widely (ubiquitously in my experience) reported in online articles that sessionStorage data does not persist data during closure of a browser tab and certainly not during closure of the whole browser or during restarting of the machine.

These are 2 very different things. If the user closes a tab and there are no other tabs open at that origin, its reasonable to expect that the session storage for that origin be reset. But, if the user has configured their browser to save and restore their session on shut-down and restarts their browser while leaving those tabs open, Firefox interprets that to mean they wish to resume their session and any values in sessionStorage are retained and restored at startup. My understanding is that the scope and lifetime of sessionStorage should match that of session cookies in this regard.

Flags: needinfo?(sfoster)

The above is easily testable by populating the window.sessionStorage object with some data, closing and reopening Firefox (or restarting the machine and re-opening Firefox), doing 'Re-open closed tab', going to the console and inspecting the window.sessionStorage object.

As Nickolay pointed out (9 years) ago, its not clear what the expectations are for session storage when undoing closure of a tab. I'm open to suggestions here. Does w3c have anything definitive to say on this? (I would expect that to fall within the web standards rather than javascript language standards' scope).

Thank you, you've made some interesting points, Sam Foster. And I'm now confused because I've re-run my test on another machine and Firefox is not persisting the contents of sessionStorage during a tab closure, browser closure, or machine restart! Perhaps this is caused by the Firefox settings. I will do more testing and if I get anywhere, I will reply here.

I've consulted with colleagues to get some more context on this (I'm a new contributor to this module myself). The current behavior is intentional and represents decisions made many years ago. While you (or Chrome) may disagree, this is currently working as designed and within spec.

You will need to enable the "Open previous windows and tabs" setting to reproduce the effect where session data is restored across browser restarts.

Status: UNCONFIRMED → RESOLVED
Closed: 1 year ago
Resolution: --- → WONTFIX

You can read some discussion and the history behind this decision in bug 530594 and bug 345345.

You need to log in before you can comment on or make changes to this bug.