localStorage policy does not match cookie policy nor IndexedDB policy

RESOLVED DUPLICATE of bug 536509

Status

()

defect
RESOLVED DUPLICATE of bug 536509
6 years ago
a month ago

People

(Reporter: briansmith, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

When I discussed this with Jonas a long time ago, I remember him saying that localStorage policy is supposed to match cookies policy, and that's why we allow third-party iframes to use localStorage.

Personally, I think localStorage should be considered conceptually to be just a wrapper around IndexedDB, so IndexedDB and localStorage should have the same policy. 

But, at a minimum, now that bug 818340 has landed, we should make localStorage have at least honors the new default third-party cookie blocking policy. Otherwise, sites can just use localStorage to trivially work around our third-party cookie blocking attempts.

Chris Evens makes the same point here:
http://scarybeastsecurity.blogspot.com/2009/12/bypassing-intent-of-blocking-third.html. I verified that Google Chrome's settings for cookies are labeled "cookies and site data" because they apply to localStorage too. (See also
http://code.google.com/p/chromium/issues/detail?id=92696.)

If it is decided that localStorage shouldn't be treated like all the other storage APIs like IndexedDB, and instead say that localStorage should be always treated like cookies, then we should eventually make all cookie prefs apply to localStorage. According to http://grack.com/blog/2010/01/06/3rd-party-cookies-dom-storage-and-privacy/, Firefox will disable localStorage if cookies are completely disabled, but Firefox doesn't block third-party localStorage when third-party cookies are blocked.

Comment 1

6 years ago
Perhaps a duplicate of bug 536509?
The current IndexedDB policy is to not allow indexedDB usage at all inside 3rd party iframes. This is likely not an option for localStorage since it'll break too many websites.

Though likely we'll need to change the indexedDB policy in order to make it a better replacement for localStorage.

It would be great if someone from the privacy team could make a proposal for how we should deal with client-side storage APIs (currently localStorage and indexedDB, but there will be more) in general.
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 536509
Duplicating does not seem to propagate cc lists, fixing.
Component: DOM → DOM: Core & HTML
Product: Core → Core
You need to log in before you can comment on or make changes to this bug.