How to control websites' use of localStorage in Firefox?

local-storage firefox

As more and more sites switch from using cookies to using localStorage to store their data (including "tracking bugs"), I'm concerned about in how far the user can control this. With cookies, one could set up the appropriate policies, e.g. block 3rd party cookies, or being always asked. I could not find a corresponding setting for localStorage.

Searching SU, I found a similar question for Chrome: disable HTML5 LocalStorage and Databases for all webpages /or ask user. I've also read How to allow local storage for one specific userscript, but disable it globally? (which does not answer my question) and Firefox local storage and cache questions (which also states missing documentation, but does not answer my question). I found almost nothing on a Google search.

Trouble I've had in the beginning with SE in general (see MSO) and solved thanks to Eric's Blog let me assume the cookie settings are at least connected to localStorage somehow; but as it's not documented, I don't want to rely on "try-and-err" with one FF version to draw general conclusions from.

Is there some documentation on that? I'd count it a big privacy intrusion if the user cannot control which site is storing data into localStorage, so it must be possible somehow.

TL;DR: Is it done corresponding to the cookie policy − or if not, how can a user control it?


Solution 1:

Firefox's relationship between cookies and localstorage (from https://bugzilla.mozilla.org/show_bug.cgi?id=341524):

  • disabling cookies disables storage, unless the site is on the whitelist.
  • enabling all cookies enables storage, except if the site is on the blocked list.
  • if a site is set to session only in the block list, only session storage may be used. Global storages are treated like session storages.
  • similarly, if the cookie preferences are set to session only, all storage usage is session only
  • if the cookie preferences are set to prompt, this is treated the same as reject cookies. Not sure whether we want prompting to occur here. Do cookies prompt every time a cookie is set, or just once per session?
  • the hidden preference dom.storage.disabled can be used to disable DOM storage.

Thus, you should be able to use cookie managers such as Cookie Monster to control localstorage.

To view/delete persistent localstorage in Firefox, you can use Foundstone HTML5 Local Storage Explorer or NoTrace. Other related Firefox extensions are listed here.

From How to clear and disable DOM Storage in Firefox, IE and Chrome:

Clear DOM Storage in Firefox:

Select “Tools” -> “Clear Recent History”, open “Details”, check “Cookies” and select “Everything” as time range.
ATTENTION: No other time range will clear the DOM Storage.

[...]

Disable DOM Storage in Firefox:

Type "about:config" in your address bar and hit enter to view your internal browser settings. Scroll down to "dom.storage.enabled", right click on it and hit "Toggle" to disable the DOM Storage.

From Bypassing the intent of blocking "third-party" cookies:

In concept, HTML5 Local Storage is very similar to cookies. On a per-origin basis, there is a set of disk-persisted name / value pairs.

With a simple test, it's easy to show that the HTML5 Local Storage feature is not affected by the third-party cookie setting.

Mozilla knows about this issue: Bug 536509 - localStorage does not obey "third-party cookies" pref. Fortunately, if you untick Firefox checkbox "Accept cookies from sites," then localstorage is enabled only on domains that are allowed in Firefox's cookie Exceptions list. Since JavaScript is needed to set localstorage, JavaScript blocking extensions like NoScript can also mitigate this issue.

Localstorage test sites:

  • https://csh.rit.edu/~ryanw/chaos/WebStorageTest.html
  • https://people.w3.org/mike/localstorage.html
  • https://scary.beasts.org/misc/iframe_storage.html

Firefox issue: Bug 748620 - When cookie expiration is set to ask every time, localStorage throws a security exception.

All of the information in this answer was adapted from DOM storage: browser data storage that can bypass the intent of blocking third-party cookies, a thread that I started.

Solution 2:

I am the developer of the Cookie Controller addon, and it will show you the permissions that apply to local storage (and session storage) as well as letting you set those permissions.

However, to answer your original question, permissions for DOM storage are essentially the same as for cookies. Certain permissions, such as 3rd party, do not apply, but the settings to deny cookies or restrict them to the current session are also applied to DOM storage. Unfortunately Firefox will not show you whether a web page is using DOM storage or not so it can be difficult to verify. Hence the addon is useful.

There is also a hidden preference that will completely disable all DOM storage independently of cookies: dom.storage.enabled. This is a little brutal and usually you would just block cookies to block storage. Equally, exceptions set to allow individual web sites to set cookies also allow them to use DOM storage.

Lastly, there is a limit on the amount of storage that can be used by each web page. By default this is 5MB but you can change it, potentially to zero. However, web pages don't always handle overflowing this quota very well so you might cause problems by changing it.

Solution 3:

There doesn't appear to be a whole lot of documentation on the feature, but here is the article from the Mozilla Developers Network. In the article it mentions that there are still several bugs open regarding managing local storage (all bugs are open at the time of writing this answer). So at least for the time being it doesn't look like there is any way to manage access to local storage.

Related

What is the main difference between reboot and restart of a machine
How do I move audio from one portion to another in Audacity?
How to shut down openwrt without corrupting file systems?
Windows 8.1 System process using High CPU
How to have grep print only the matching text plus X surrounding characters
Continue on error when apt-get encounters an install unable to locate package issue
Location of Event logs in Windows
Get USB tethering from Android device to work on Debian 8
What does the yellow color of CPU mean in htop? [duplicate]
Windows 10 WSL (bash) and mintty
How to permanently disable "Waves' MaxxAudio Pro" / MaxxSense
How to avoid google chrome proxy bypass for localhost?