Handle DOM storage separately from cookies?

Discussion in 'privacy technology' started by phkhgh, Dec 31, 2014.

  1. phkhgh

    phkhgh Registered Member

    Joined:
    Aug 17, 2007
    Posts:
    166
    Anyone heard of methods or addons that control DOM storage separately from cookies?
    For (one) instance, choosing to allow session cookies on a site (to login) doesn't mean users would always want to allow DOM storage on the site. So maybe an addon that allows accepting cookies from a site, but still blocking DOM (if you so choose).

    AFAIK, at this time (Firefox 34), generally, the settings for cookies apply to DOM storage.
    I don't know all the details or how strict those rules are.
    I believe that if cookies are allowed (by default or per site), then DOM storage is allowed.

    But as many know, how sites / trackers might use data in DOM storage is different from cookies. The data in them are not at all equal, but they're handled equally (AFAIK).

    * Does anyone know if cookies are allowed (say, 1st party Session), does that mean only 1st party data is allowed in DOM storage (often called Local Storage)? If 3rd party data is not limited, then there's a real problem.

    * Some Fx addons say they can delete DOM storage separately from cookies. Like Cookie Controller (I've not used). If they can be deleted separately, maybe they can be controlled separately?

    * I believe other addons can delete DOM storage on tab closing, or at browser shut down? Like Self Destructing Cookies (also haven't used). Of course, when it comes to tracking, deleting data after the fact isn't quite the same as blocking. But, if you closed the tab(s) & it deleted the storage, might be better than nothing.

    If interested, Firefox (34) has a "Storage Inspector" in Developer tools. It must be added to the tools available on the developer toolbar. It allows viewing different types of storage stored in Fx - on current page (if any).

    To enable "Storage Inspector" in Firefox Developer tools, go to:
    Tools (main menu) -- Web Developer -- click Developer Toolbar.
    From the dev toolbar UI, on its main toolbar - where Inspector, Console tabs, etc. are, click the Options (gear icon).

    In Left column, under Default Firefox Develper Tools, check "Storage." (there are tool tips w/ brief description). Then, Storage tab will be on the developer toolbar (to view what the currently active web site (current tab) has stored, if anything.
    https://developer.mozilla.org/en-US/docs/Tools/Storage_Inspector
     
  2. phkhgh

    phkhgh Registered Member

    Joined:
    Aug 17, 2007
    Posts:
    166
    This is an interesting site on DOM storage behavior, by browser, based on current cookie settings. I probably don't understand it all.
    http://grack.com/blog/2010/01/06/3rd-party-cookies-dom-storage-and-privacy/
    If you scroll to the line, "Firefox, unchecked ‘accept third-party cookies'," it mentions DOM storage behavior based on whether 3rd party cookies are allowed.

    It talks about DOM storage from iframes, which I take to mean (DOM) data coming from 3rd parties?
    It's certainly not an official source, but maybe someone can confirm that when 3rd party cookies are disabled in Fx, then DOM storage from 3rd parties is also blocked.
     
  3. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    If I recall, the Better Privacy extension handles flash and domain storage separate from standard cookies.

    Regarding iFrames, they can be 3rd party or part of the originating website. They're just another means of injecting data from a separate source into a webpage. On Torstatus, the detail pages for each router use iFrames to display the traffic graphs for each relay.
     
  4. phkhgh

    phkhgh Registered Member

    Joined:
    Aug 17, 2007
    Posts:
    166
    Thanks. I'm not aware that Better Privacy handles DOM storage (local storage). (you meant DOM, not "domain" - right?)
    I use BP, though I rarely use Flash anymore. I don't see anything in BP, or on its MAO page about handling anything other than LSO cookies. You have other info about it?

    Yeah - I'm not familiar w/ iFrames & relation to DOM storage.
    Though I've found out there are active bugs filed w/ Mozilla about DOM storage in Firefox not always following the settings for cookies / 3rd party cookies, it appears the design is cookie settings are supposed to control DOM storage.

    The bug link below states that DOM storage doesn't obey 3rd party cookie prefs. Meaning, (I guess) if even session cookies are allowed on a site (but 3rd party denied), the bug allows 3rd party trackers to use DOM storage. I haven't tested it thoroughly.

    If true, sites and (guess who...ADVERTISERS) are able to use tracking, with the help of Mozilla not fixing a 2009 bug. Now, why would any browser drag it$ feet on fixing bug$ that would allow u$er$ to block adverti$er$ & tracker$?? I'm $tumped.

    So far, still not found anything to handle DOM (local) and session storage permissions separately from cookies (which was the question).
    As I mentioned, Self Destructing Cookies (maybe others) screenshots show options for deleting DOM storage separately, but not controlling it - AFAIK.

    My intent was, be able to whitelist sites for DOM storage, but deny most sites - just like cookies. I haven't found (yet) if any cookie exceptions in Fx own cookie mgr, or any addon mgr, affect DOM storage. More research needed.
    Or, if it only cares about whether session or 3rd party cookies are allowed globally in the browser, to determine treatment of DOM storage??

    There were several "DOM storage test sites," to see how a browser responded, but I got mixed results. Those site's may not be updated to work correctly w/ the latest standards in Fx??
    Other sites, like HomeDepot, require DOM storage to be enabled for some things to work (can't have "dom.storage.enabled" disabled, in about:config). But, when enabled & session cookies are enabled (& the site's features work), it's not loading anything in DOM storage - per Storage Inspector dev tool, in Fx 34. So, I can't figure why HD makes a fuss about DOM storage, then doesn't appear to use it?

    I also found that Firefox's permissions for DOM storage based on cookie settings works a bit different than Chrome or Safari (I believe that's still valid).
    Firefox (at least, the design) is that if 3rd party cookies are disabled, then DOM storage from 3rd parties is disabled (someone correct me if not so). Chrome & Safari don't allow limiting 3rd party DOM storage - in that same way.

    https://bugzilla.mozilla.org/show_bug.cgi?id=536509 localStorage does not obey "third-party cookies" pref
    https://bugzilla.mozilla.org/show_bug.cgi?id=527667 DOM Storage (localStorage, sessionStorage) data is not cleared when "Clear Recent History" is used with Time range not "Everything"
    https://developer.mozilla.org/en-US/docs/tag/localStorage General Info: Various Mozilla Articles tagged: localStorage
     
    Last edited: Jan 3, 2015
  5. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
  6. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Yes. No idea where "domain" came from.
    If you don't need it, DOM storage can be disabled in about:config

    dom.storage.enabled;false
     
Loading...