DOM storage: browser data storage that can bypass the intent of blocking third-party cookies

Introduction:
http://en.wikipedia.org/wiki/Web_storage
http://webdevwonders.com/dom-storage-super-cookie/

"DOM Storage" is sometimes called "local storage," "localstorage," or "web storage."

From Web Storage:

From What Firefox’s new privacy settings mean for you:

To view all DOM persistent storage in Firefox, you can use Foundstone HTML5 Local Storage Explorer. Related Firefox extensions are listed here. Warning: installing Cookie Controller when Foundstone HTML5 Local Storage Explorer is installed seems to cause the permanent inability of both extensions to show DOM storage. The same might be true of some of the other related Firefox extensions.

DOM storage test sites:
http://csh.rit.edu/~ryanw/chaos/WebStorageTest.html
http://people.w3.org/mike/localstorage.html

How to clear and disable DOM Storage in Firefox, IE and Chrome.

From Bypassing the intent of blocking "third-party" cookies:

How does your browser behave when you have third-party cookies disabled and use that test site? Firefox 30.0 allows third-party DOM storage to be set. Mozilla knows about the issue already.

Some "real life" websites that set third-party DOM storage in Firefox 30.0 when third-party cookies are turned off:
http://www.drudge.com/
http://www.huffingtonpost.com/

Questions from superuser.com that have tag "local-storage".

Since JavaScript is needed to set DOM storage, JavaScript blocking extensions like NoScript can mitigate this issue.

 

Firefox issue: When cookie expiration is set to ask every time, localStorage throws a security exception.

 

Firefox's relationship between cookies and DOM storage (from https://bugzilla.mozilla.org/show_bug.cgi?id=341524):

Note: the Firefox preference is "dom.storage.enabled," not "dom.storage.disabled."

 

Good news for Firefox users: if you untick Firefox checkbox "Accept cookies from sites," then DOM storage is enabled only on domains that are allowed in Firefox's cookie Exceptions list.

 

Chrome users: When "Block third-party cookies and site data" is ticked, Chrome doesn't have the DOM storage issue that Firefox does, according to my test.

 

Where do I find localStorage data in Chrome?

Chrome/Chromium - disable HTML5 LocalStorage and Databases for all webpages /or ask user

IE10 on Windows 7, where is localStorage stored in the file system?

 

For HTTPSB, if one allows javascript but is still concerned with privacy with regard to cookies (or whatever local storage), I suggest to blacklist the `XHR` matrix cell, so javascript code won't be able to report back that information.

Personally I have had `cookie` and `XHR` blacklisted for a while now.

 

Isn't there an about:config entry for dom.storage.enabled that you can set to "false"? And wouldn't that sufficiently take care of it?

 

For Firefox, yes there is, and yes it should. The problem is what to do if there's a website that you want to use that breaks with it set to "false."

 

From HTML5…I mean, Local…I mean, DOM…I mean, Web Storage!:

 

The Better Privacy extension can auto-delete domain storage files when the browser is closed.

 

Self-Destructing Cookies can be useful there

 

NoTrace Firefox extension has a DOM storage viewer and eraser.

 

I did this, and also installed Firefox extension Cookie Monster. Cookie Monster has a user interface style similar to NoScript.

 

Thankfully I've yet to see this happen. And by looking at that link it seems that using HTML5 in Firefox with DOM Storage disabled (as well as cookies, which I do), gives you very good privacy. And all is wiped when I close my session by Sandboxie+CCleaner.

 

My tests reveal that Ghostery can also mitigate this issue, which is to be expected since Ghostery blacklists certain JavaScript content.

 

I went back to accepting first-party cookies and blocking third-party cookies by default because I use NoScript and Ghostery.