Closed Bug 1407936 Opened 4 years ago Closed 4 years ago

Site data is not completely deleted from profile folder after removing data from Fx site data settings

Categories

(Core :: Storage: Quota Manager, defect, P1)

Product:
Core
Component:
Storage: Quota Manager
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla58
Tracking Flags:
Tracking Status
firefox-esr52 --- unaffected
firefox56 --- unaffected
firefox57 --- fixed
firefox58 --- fixed

People

(Reporter: bogdan_maris, Assigned: baku)

References

(Blocks 1 open bug)

Details

(Keywords: regression)

Attachments

(1 file)

unregister_sw.patch
3.62 KB, patch
bkelly
: review+
ritu
: approval-mozilla-beta+
Details | Diff | Splinter Review 
[Affected versions]:
- latest Nightly 58.0a1
- Firefox 57 beta 7

[Affected platforms]:
- Ubuntu 16.04 32bit
- macOS 10.12.6
- Windows 7 32bit

[Steps to reproduce]:
1. Start Firefox
2. Visit twitter.com and login using an existing account
3. Go to about:preferences#privacy
4. Click settings from Site Data section
5. Click Remove All button and Save changes
6. Refresh about:preferences page and revisit settings from Site Data section

[Expected result]:
- No site data is present in Settings

[Actual result]:
- There is 64kb of data left in Settings. Following step 5 from above the second time will remove all data for good.
- Other websites could be affected by this as well not only twitter.

[Regression range]:
- Don't think this is a regression since it reproduces back in Nightly 55 (2017-06-12) as well.
Component: DOM: File → DOM: Quota Manager
The file folder contains cache sqlite database only and it's an empty database;
I don't see QuotaManager error when deleting site data from console logs. I need to dig into why cache sqlite doesn't clear at all.
Is twitter still open when you clear the storage?  It can touch the disk again immediately.
(In reply to Ben Kelly [:bkelly] from comment #2)
> Is twitter still open when you clear the storage?  It can touch the disk
> again immediately.

We've tried to close the tab first then clear the storage. Cache still exists.
Twitter has a service worker with push notifications.  Its possible its running when you close the tab and clear the storage.  I'm not sure how we handle an already running worker in that case.  Perhaps verify the worker is stopped before clearing the storage?
baku worked on this situation recently so maybe he can answer comment 4.

P1 since we just went through a fire drill trying to fix this :)
Assignee: nobody → amarchesini
Flags: needinfo?(amarchesini)
Priority: -- → P1
Documentation of removeAndPropagate() says that:

   * Clears ServiceWorker registrations from memory and disk for the specified                            
   * host.                                                                                                
   * - All ServiceWorker instances change their state to redundant.                                       
   * - Existing ServiceWorker instances handling fetches will keep running.                               
   * - All documents will immediately stop being controlled.                                              
   * - Unregister jobs will be queued for all registrations.                                              
   *   This eventually results in the registration being deleted from disk too.  

Maybe we should add a callback so that we cleanup data only when the operation is completed. Makes sense?
Flags: needinfo?(amarchesini)
Flags: needinfo?(bkelly)
(In reply to Andrea Marchesini [:baku] from comment #6)
> Maybe we should add a callback so that we cleanup data only when the
> operation is completed. Makes sense?

We could do this, but a site could in theory arrange to keep itself a live for a while.

I guess I'd prefer to track that this is a user based override removal and force kill the SW.  We should also make sure push registrations are removed correctly.
Flags: needinfo?(bkelly)
Attachment #8920030 - Flags: review?(bkelly)
Comment on attachment 8920030 [details] [diff] [review]
unregister_sw.patch

Can you please provide some additional context about what the problem was and how this fixes it?  Thanks.
Attachment #8920030 - Flags: review?(bkelly)
> Can you please provide some additional context about what the problem was
> and how this fixes it?  Thanks.

SWM.removeAndPropagate() doesn't use a callback and we end up removing QuotaManagar data while SW can be up and running.
At the same time, offline function returns before completing the operation instead waiting for SW to be unregistered.

This patch fixes the issue using propagateUnregister() method and promises.
Flags: needinfo?(bkelly)
Thanks.
Flags: needinfo?(bkelly)
Pushed by amarchesini@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/3624656ebe46
Cleaning up QuotaManagar data only when ServiceWorkers are correctly unregistered, r=bkelly
See Also: → 1410416
Privacy leak? Is this something we should consider uplifting to Beta?
status-firefox-esr52: --- → unaffected
Flags: needinfo?(amarchesini)
Hi baku,

It seems that this patch did not fix this bug, there's still cache left in the pofile folder (for https+++www.youtube.com, https+++twitter.com) alongside with .metadata, .metadata-v2 files. I've tried to close the tab first and then clear the storage, but it didn't make any difference. Tested on Win 10 x64 and Mac OS X 10.11 with latest Nightly 58.0a1 (20171020100426).

Can you please take a look at this?
Let's try not to mix up "data accessible to websites" and "data stored in the profile folder".
> It seems that this patch did not fix this bug, there's still cache left in
> the pofile folder (for https+++www.youtube.com, https+++twitter.com)
> Can you please take a look at this?

Do we still have data into these folders? Is twitter having some SW still registered?

NI janv to know if it's correct to have these files in the storage directory.
Flags: needinfo?(jvarga)
Flags: needinfo?(ciprian.georgiu)
Flags: needinfo?(amarchesini)
Comment on attachment 8920030 [details] [diff] [review]
unregister_sw.patch

Approval Request Comment
[Feature/Bug causing the regression]: bug 1047098
[User impact if declined]: FF can freezes on shutdown.
[Is this code covered by automated tests?]: no
[Has the fix been verified in Nightly?]: yes, at least, manually
[Needs manual test from QE? If yes, steps to reproduce]: See the bug description for the STR
[List of other uplifts needed for the feature/fix]: none
[Is the change risky?]: low
[Why is the change risky/not risky?]: the cleanup of data happens only when ServiceWorkers are correctly unregistered. It's just a different ordering of promises.
[String changes made/needed]: none
Attachment #8920030 - Flags: approval-mozilla-beta?
(In reply to Ciprian Georgiu, QA [:ciprian_georgiu] from comment #16)
> Hi baku,
> 
> It seems that this patch did not fix this bug, there's still cache left in
> the pofile folder (for https+++www.youtube.com, https+++twitter.com)
> alongside with .metadata, .metadata-v2 files. I've tried to close the tab
> first and then clear the storage, but it didn't make any difference. Tested
> on Win 10 x64 and Mac OS X 10.11 with latest Nightly 58.0a1 (20171020100426).
> 
> Can you please take a look at this?

Can you check "create" time of those folders and .metadata/.metadata-v2 files ?
Maybe origin directories are correctly cleared, but there's a request to store data for them right after the clear operation finishes.
Flags: needinfo?(jvarga)
(In reply to Andrea Marchesini [:baku] from comment #18)
> Do we still have data into these folders? Is twitter having some SW still
> registered?

I can see the exact behavior described below after following the STR from comment 0. Here is a link with the https+++twitter.com folder: https://goo.gl/3aWCbS.

(In reply to Bogdan Maris, QA [:bogdan_maris] from comment #0)
> [Actual result]:
> - There is 64kb of data left in Settings. Following step 5 from above the
> second time will remove all data for good.
> - Other websites could be affected by this as well not only twitter.
Flags: needinfo?(ciprian.georgiu) → needinfo?(amarchesini)
The folder seems completely empty: no SW registered, no cache stored. This seems correct to me.
Flags: needinfo?(amarchesini) → needinfo?(jvarga)
If there are no subfolders and just .metadata/.metadata-v2, then yes.
Flags: needinfo?(jvarga)
However, https://goo.gl/3aWCbS contains "cache" subfolder.
(In reply to Jan Varga [:janv] from comment #24)
> However, https://goo.gl/3aWCbS contains "cache" subfolder.

Besides that, in "Setttings - Site Data" the site in question (e.g. youtube.com, twitter.com) is still displayed after clearing all data and refresh the about:preferences#privacy page - as  you can see in this screencast: https://imgur.com/a/0vYLC.
Comment on attachment 8920030 [details] [diff] [review]
unregister_sw.patch

Recent regression, fix was verified on nightly, beta57+
Attachment #8920030 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Yeah, I am still seeing the original issue mentioned in comment 0 in latest Nightly 58.0a1 and today in 57 beta 11 after the uplift.

As Ciprian mentioned in comment 21 and comment 25 this is still reproducible so I don't really know what was fixed here. Andrea can you clear the air here a bit? There is a cache folder left behind which contains a file caches.sqlite (~66kb) and another folder called morgue that's empty. 

Note again that this is the same exact behavior I initially reported in comment 0, and due to that I'm confused of what was fixed here.
Flags: needinfo?(amarchesini)
> As Ciprian mentioned in comment 21 and comment 25 this is still reproducible
> so I don't really know what was fixed here. Andrea can you clear the air
> here a bit? There is a cache folder left behind which contains a file
> caches.sqlite (~66kb) and another folder called morgue that's empty. 

janv, does it seem normal to you? the caches.sqlite db is empty. There is just the scheme.
Should this file be deleted together with the rest?
Flags: needinfo?(amarchesini) → needinfo?(jvarga)
(In reply to Andrea Marchesini [:baku] from comment #29)
> > As Ciprian mentioned in comment 21 and comment 25 this is still reproducible
> > so I don't really know what was fixed here. Andrea can you clear the air
> > here a bit? There is a cache folder left behind which contains a file
> > caches.sqlite (~66kb) and another folder called morgue that's empty. 
> 
> janv, does it seem normal to you? the caches.sqlite db is empty. There is
> just the scheme.
> Should this file be deleted together with the rest?

Quota Manager doesn't filter any files when clearing an origin directory. I guess DOM cache creates a new database right after the origin directory is cleared. Can someone check create time of caches.sqlite ?
Flags: needinfo?(jvarga)
Flags: needinfo?(bogdan.maris)
caches.sqlite is first created when I log on Twitter but it has like 4kb, in 2-3 seconds it's pumped to 66kb. Here is a screencast demonstrating this: https://drive.google.com/open?id=0BzbDkQ2Zlg86TWR4WGh1eHpWNG8 (was too large to upload it directly to bugzilla).
Flags: needinfo?(bogdan.maris) → needinfo?(jvarga)
It's probably the ServiceWorkerScriptCache creating a Cache storage object which triggers schema creation. If you waited 1+ minutes after closing the tab this probably would not happen.

Just curious, why is an empty sqlite file a critical problem?  Content can't tell if it's there or not.
It would seem to me that as long as there's nothing privacy-sensitive in there (comment 29 says just schema data?), we wouldn't care much.
The empty SQLite file lives in a directory derived from the origin.  The canonical private browsing example is engagement ring shopping.  While it's harder for a non-technically-sophisticated user to locate, using a suffieicntly comprehensive filesystem search for "bluenile" would very likely discover the PROFILE/storage/default/https+++www.bluenile.com/ directory which contains the cache/ directory.  I don't think we make strong guarantees about the profile being resistant to forensic analysis, but we can definitely do better than leaving origins around in cleartext for our history-clearing features.
Blocks: 1415342

I suspect this can also cause bugs like bug 1533681.

Blocks: 1541373
Flags: needinfo?(jvarga)

Should we do more here to fix things like bug 1533681, Jan? Maybe file a sepearate bug?

Flags: needinfo?(jvarga)

(In reply to Andrew Overholt [:overholt] from comment #36)

Should we do more here to fix things like bug 1533681, Jan? Maybe file a sepearate bug?

Yes, the official status quo in this bug was that clearing works ok even though there is a sqlite database left with no data.
However some users still complain about it and as I said it can cause problems with some tests.
I filed a new bug for that, bug 1541464.

Flags: needinfo?(jvarga)
You need to log in before you can comment on or make changes to this bug.