Closed Bug 456517 Opened 16 years ago Closed 16 years ago

Prompt when website asks to store data offline option doesn't do anything.

Categories

(Core :: Networking: Cache, defect)

Product:
Core
Component:
Networking: Cache
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: sephr, Unassigned)

References

(
URL
)

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1
Build Identifier: 

Under Options -> Advanced -> Network -> "Tell me when a website asks to store data for offline use" doesn't actually do anything. sessionStorage and globalStorage can be written to and read from without any user confirmation. This can be exploited to store large amounts of data on a user's computer without them being able to know that it is being stored (see bug 456513) and how much is being stored (see bug 456512).

Reproducible: Always

Steps to Reproduce:
1. Visit the website in bug report.
2. Type in some text. (will attempt to store it in globalStorage)
Actual Results:  
Text is stored in globalStorage without user's consent.

Expected Results:  
A prompt warns the user that noteboard.eligrey.com is trying to store offline data on their computer and they can choose to allow or deny access to offline storage. A "do not show me this message again" checkbox should also be shown to remember the choice.

This is under critical because this can be exploited very easily and does something a user never consented for.
forgot to mention the preference that the checkbox changes: browser.offline-apps.notify
Found out that was only for cache manifests a while ago.
Status: UNCONFIRMED → RESOLVED
Closed: 16 years ago
Resolution: --- → INVALID
Severity: critical → normal
You need to log in before you can comment on or make changes to this bug.