DOM storage: browser data storage that can bypass the intent of blocking third-party cookies

Discussion in 'privacy problems' started by MrBrian, Jun 11, 2014.

Thread Status:
Not open for further replies.
  1. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Introduction:
    http://en.wikipedia.org/wiki/Web_storage
    http://webdevwonders.com/dom-storage-super-cookie/

    "DOM Storage" is sometimes called "local storage," "localstorage," or "web storage."

    From Web Storage:
    From What Firefox’s new privacy settings mean for you:
    To view all DOM persistent storage in Firefox, you can use Foundstone HTML5 Local Storage Explorer. Related Firefox extensions are listed here. Warning: installing Cookie Controller when Foundstone HTML5 Local Storage Explorer is installed seems to cause the permanent inability of both extensions to show DOM storage. The same might be true of some of the other related Firefox extensions.

    DOM storage test sites:
    http://csh.rit.edu/~ryanw/chaos/WebStorageTest.html
    http://people.w3.org/mike/localstorage.html

    How to clear and disable DOM Storage in Firefox, IE and Chrome.

    From Bypassing the intent of blocking "third-party" cookies:
    How does your browser behave when you have third-party cookies disabled and use that test site? Firefox 30.0 allows third-party DOM storage to be set. Mozilla knows about the issue already.

    Some "real life" websites that set third-party DOM storage in Firefox 30.0 when third-party cookies are turned off:
    http://www.drudge.com/
    http://www.huffingtonpost.com/

    Questions from superuser.com that have tag "local-storage".

    Since JavaScript is needed to set DOM storage, JavaScript blocking extensions like NoScript can mitigate this issue.
     
  2. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  3. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Firefox's relationship between cookies and DOM storage (from https://bugzilla.mozilla.org/show_bug.cgi?id=341524):
    Note: the Firefox preference is "dom.storage.enabled," not "dom.storage.disabled."
     
    Last edited: Jun 13, 2014
  4. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Good news for Firefox users: if you untick Firefox checkbox "Accept cookies from sites," then DOM storage is enabled only on domains that are allowed in Firefox's cookie Exceptions list.
     
  5. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Chrome users: When "Block third-party cookies and site data" is ticked, Chrome doesn't have the DOM storage issue that Firefox does, according to my test.
     
  6. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  7. gorhill

    gorhill Developer

    Joined:
    Nov 12, 2013
    Posts:
    747
    Location:
    Canada
    For HTTPSB, if one allows javascript but is still concerned with privacy with regard to cookies (or whatever local storage), I suggest to blacklist the `XHR` matrix cell, so javascript code won't be able to report back that information.

    Personally I have had `cookie` and `XHR` blacklisted for a while now.
     
  8. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,497
    Isn't there an about:config entry for dom.storage.enabled that you can set to "false"? And wouldn't that sufficiently take care of it?
     
  9. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    For Firefox, yes there is, and yes it should. The problem is what to do if there's a website that you want to use that breaks with it set to "false."
     
  10. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  11. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    The Better Privacy extension can auto-delete domain storage files when the browser is closed.
     
  12. Alhaitham

    Alhaitham Registered Member

    Joined:
    May 18, 2013
    Posts:
    173
    Location:
    Egypt
    Self-Destructing Cookies can be useful there
     
  13. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  14. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    I did this, and also installed Firefox extension Cookie Monster. Cookie Monster has a user interface style similar to NoScript.
     
  15. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,497
    Thankfully I've yet to see this happen. And by looking at that link it seems that using HTML5 in Firefox with DOM Storage disabled (as well as cookies, which I do), gives you very good privacy. And all is wiped when I close my session by Sandboxie+CCleaner.
     
  16. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    My tests reveal that Ghostery can also mitigate this issue, which is to be expected since Ghostery blacklists certain JavaScript content.
     
  17. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    I went back to accepting first-party cookies and blocking third-party cookies by default because I use NoScript and Ghostery.
     
Loading...
Thread Status:
Not open for further replies.