Cannot delete localstorage data in private mode
Categories
(Toolkit :: Data Sanitization, defect, P3)
Tracking
()
People
(Reporter: bug.reporter.321, Unassigned)
References
Details
Attachments
(1 file)
|
895.79 KB,
image/png
|
Details |
Reproduction_localstorage_not_deleted.png
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/117.0
Steps to reproduce:
Hi I am using firefox 117 with "always use private mode" to have it clean all data on exit.
I recently noticed, that both cleaning options in
privacy&security -> Cookies and Site Data
privacy&security -> History
Fail to delete localstorage no matter what I do.
While it tells me
"
All history will be cleared.
This action cannot be undone.
"
It seems this is a lie. It just doesnt happen.
If it relates to private mode or any first party partitioning, or for whatever reason, you should display warnings.
Actual results:
It does not delete the local storage.
Maybe other type of storage could also be affected.
I never understood why you make it so difficult for people to understand what data of which category a website has stored in their browser.
Expected results:
It should delete the local storage and everything else.
If anything cannot be deleted due to browser configuration or whatever, I would expect that it tells me so.
This is most important.
If something fails to delete, why do not tell the user?
Most people delete history for privacy reason.
Having delete history fail for whatever reason, especially after displaying a total deletion warning, is more than a privacy bomb.
|
||
Comment 1•1 year ago
|
||
The Bugbug bot thinks this bug should belong to the 'Core::Storage: localStorage & sessionStorage' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.
Sorry after re-reading my posting, I wanted to say that history cleaning does not work while keeping the browser open.
It seems to clear after closing the browser and reopening it, but using the clear history controls in the privacy settings does not.
|
||
Comment 3•1 year ago
|
||
AFAICS the report does not refer to local storage as an API and that
It should delete the local storage and everything else
just indicates "something". Given that this seems to have to do with private browsing in general, moving there for further triage.
|
||
Updated•1 year ago
|
|
||
Comment 4•1 year ago
|
||
Hello! I have tried to reproduce the issue with firefox 119.0a1(2023-09-07) on Ubuntu 22.04, unfortunately I wasn't able to reproduce the issue on my end. Could you please answer the following questions in order to further investigate this isssue.
- Does this issue happen with a new profile? Here is a link on how to create one: https://support.mozilla.org/en-US/kb/profile-manager-create-remove-switch-firefox-profiles
- Does this issue happen in the latest nightly? Here is a link from where you can download it: https://www.mozilla.org/en-US/firefox/channel/desktop/
- Do you have any addons installed? If yes could you please list them?
Hi sergiu, what is the recommended way to clear localstorage (without closing the browser) when using "always use private mode" ?
It does not work on my windows either.
I tried with and without extensions.
For me it just seems the history / website data clearing has simply no effect when "always use private mode" is active.
It seems that the "special" data storage container of "always use private mode" is not handled by the "privacy controls".
But if these controls do not work in this case, you should grey them out or something...
Also note the cleaning works perfectly if "Always use private browsing mode" = OFF
|
||
Comment 10•10 months ago
|
||
The screenshots here are unfortunately not really helpful. Re-visiting the site in a new tab will likely cause the site to just recreate data (as the site can run more script and store more data), so that + "data shows up in devtools" is not really a reliable indication that "the data is still there".
This bug needs more reliable steps to reproduce. There are some in the github issue that should have been provided here, namely that a search term from a previous visit is persisted and reshown the second time, and given that websites normally aren't psychic, this suggests some data is still stored from last time. I can reproduce this.
In the github issue, there is speculation that this is to do with sessionStorage and that is why it's not being cleared. Paul, can you take a look at why that is? I don't really know about the extension APIs here, but certainly when deleteAll is called we ask gecko to delete sessionStorage data, so I don't know why that wouldn't do anything. Does it not clear private data because it's in-memory, or something?
|
Reporter | |
Comment 11•10 months ago
|
||
Hi Gijs, please note that in the screenshots, in the localStorage inspector, you see the search history!
This is not recreated, it is the search that was typed into the search box!!!
|
|
Reporter | |
Comment 12•10 months ago
|
||
See image 2 and 5. There is the "blue-search-history" field in the localStorage, and it contains the search string. The search term was "somesearch". Also node the deviceId prefix, which is the same until image 5, and in image 6, it has resetted after closing the browser.
|
||
Comment 13•9 months ago
|
||
Our data clearing UIs only work with normal browsing. They don't affect private browsing. That's why most of the clear data UI's are disabled or hidden when "always use private browsing mode" is enabled. Since the extension API uses the same interface for clearing data (nsIClearDataService) it would be affected by this limitation too.
Supporting clearing private browsing data would require updating the cleaners in ClearDataService.sys.mjs along with the storage implementation they call into to support clearing their in-memory PBM buckets.
|
|
Reporter | |
Comment 14•9 months ago
|
||
Hi Paul, I wonder why then the button is actually clickable and why there is no message or popup displayed, that the button cannot be used to clear the data, but instead the browser has to be shut down and restarted? How is anyone supposed to understand this? Thanks
|
|
||
Comment 15•9 months ago
•
|
||
Good question! "always use private browsing" has many UX issues like this. UX wise it tries to be private browsing and regular browsing at the same time (note how we even remove the PBM icon). It's also not clear what users expect from this mode, do they only want their history and site data to be deleted at shutdown, or do they want the privacy features PBM comes with, such as memory-only data and advanced tracking protections?
For this specific bug I think we should either change the UI to disable the clearing features, or implement proper support for clearing PBM data.
|
|
Reporter | |
Comment 16•9 months ago
|
||
P.S. I also still fail to understand the reasoning behind the current state. From user perspective, the always-private-mode seemed reasonable, because I think it is also randomizing things like the media device identifiers on browser restart (see https://developer.mozilla.org/en-US/docs/Web/API/MediaTrackSettings/deviceId). I do not see why one would want to trade this against the ability to clear tracking data "on the fly". Or have extensions like cookie autodelete to stop working in private mode. Or the mentioned button for cookie clearing in firefox stop working.... and all without any notice to the user. That the private-mode is actually defeating other privacy tools seems to be an element of dark pattern of "false security" that one should avoid in any way possible... Doesn't it seem much more sound, at least in always private mode, to let UI's, extensions, etc. just use the temporary storage container that is used to encapsulate the session of the private mode? Instead, they all seem to point to the (inactive) non-private containers.
Description
•