Clear-Site-Data storage directive does not clear Cache or service worker

RESOLVED FIXED in Firefox 65

Status

()

defect
RESOLVED FIXED
9 months ago
9 months ago

People

(Reporter: asa.kusuma, Assigned: baku)

Tracking

63 Branch
mozilla65
Points:
---

Firefox Tracking Flags

(firefox65 fixed)

Details

Attachments

(1 attachment)

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.67 Safari/537.36

Steps to reproduce:

I'm on the latest stable, 63

Setup the repro app: https://github.com/asakusuma/sw-clear-site-data/tree/firefox-bug

* Navigate to http://localhost:3000
* Click "Register service worker"
* Click "Popluate Cache"
* Open devTools and verify that cache has been populated and service worker is registered
* Refresh
* Notice that the index.html response included Clear-Site-Data: "storage"


Actual results:

Cache is not cleared and service worker is still registered. Click "Read cache" and "log sw registration" and see console output to confirm.


Expected results:

Cache should be completely cleared and the service worker should be unregistered
Component: Security → DOM: Service Workers
Theoretically we should be clearing this. I haven't tried your STR yet, though. Needinfo so that we don't forget about it.
Flags: needinfo?(jhofmann)
Flags: needinfo?(amarchesini)
> * Navigate to http://localhost:3000

By spec, Clear-Site-Data works only with secure connections. If you use https it will work.
Flags: needinfo?(jhofmann)
Flags: needinfo?(asa.kusuma)
Flags: needinfo?(amarchesini)
User agents are allowed to include localhost as a secure connection: https://w3c.github.io/webappsec-secure-contexts/#localhost

It's difficult to test behavior if localhost is not supported.

The service worker spec specifically notes that localhost can be included: https://www.w3.org/TR/service-workers-1/#secure-context

Clear-Site-Data spec does not explicitly note that localhost can be included: https://www.w3.org/TR/clear-site-data/#incomplete

So perhaps this is better classified as a feature request and not a bug.
Flags: needinfo?(asa.kusuma)
(In reply to asa.kusuma from comment #3)
> User agents are allowed to include localhost as a secure connection:
> https://w3c.github.io/webappsec-secure-contexts/#localhost

Yes you are right. I realized it when checking how to support localhost.
/me working on it.
Assignee: nobody → amarchesini
Attachment #9019984 - Flags: review?(ckerschb)
Comment on attachment 9019984 [details] [diff] [review]
clearSiteDataLocalhost.patch

Review of attachment 9019984 [details] [diff] [review]:
-----------------------------------------------------------------

yeah, that looks sane to me - thanks!

::: toolkit/components/clearsitedata/ClearSiteData.cpp
@@ +207,5 @@
> +    return;
> +  }
> +
> +  nsCOMPtr<nsIContentSecurityManager> csm =
> +    do_GetService(NS_CONTENTSECURITYMANAGER_CONTRACTID);

hah, I didn't know we an idl for the content security manager.
Attachment #9019984 - Flags: review?(ckerschb) → review+
Pushed by amarchesini@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/0bc87bd86202
ClearSiteData should be enabled for localhost, r=ckerschb
https://hg.mozilla.org/mozilla-central/rev/0bc87bd86202
Status: UNCONFIRMED → RESOLVED
Closed: 9 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla65
Thanks for the quick fix!
You need to log in before you can comment on or make changes to this bug.