forget-me-not icon indicating copy to clipboard operation
forget-me-not copied to clipboard
verified publisher icon Lusito

Per site block rule doesn't prevent site's data in user's profile storage folder

Open ghost opened this issue 7 years ago • 10 comments

Hi,

Forget Me Not 1.0.2 / Firefox 60.0.1 (x64) / Windows 7 (x64)

I'm encountering an issue with blocked sites that seems odd when compared to Firefox's native site cookie block logic.

With Firefox / Options / Privacy & Security / Cookies and Site Data / Exceptions ... If I set a site as blocked then are blocked not only the site's cookies but as well LocalStorage and IndexedDB storage. By IndexedDB storage I mean a site's data appearing in the user's profile / Storage / Default folder, i.e https+++www.bostonglobe.com^firstPartyDomain=bostonglobe.com

Blocking with Firefox : no blocked site's indexedDB storage Removing the site from Firefox blocking, adding the site to FMN as blocked : no cookies indeed but site's data nevertheless in storage / default folder.

Here are my FMN defined rules:

fmn

As you can see among sites I've blocked appear those that keep data in the user's storage folder: bostonglobe, huffingtonpost, techradar, theguardian

All these four domains will add data such as, i.e https+++www.bostonglobe.com^firstPartyDomain=bostonglobe.com This data is removed once Firefox closed, but remains during the session. If I add these domains to Firefox's cookie blocking, their data is not added to user's local/default folder.

Same applies to localStorage : a site set as blocked by FMN doesn't prevent that site from installing data in user's localStorage (webappstore.sqlite).

I hope you've understood what I mean as English is not my mother-tongue together with the fact I lack technical terminology.

ghost avatar Jun 06 '18 11:06 ghost

Hello and thanks for your feedback.

Sadly, there is currently no API available to block indexedDB, localStorage, etc. I can only block cookies at this time. If you look at the description of the black rule, you'll see, that it's only about cookies.

So this is an issue that mozilla needs to fix before I can do anything about it. I will do my best to convince them that this shortcoming should be fixed.

Lusito avatar Jun 07 '18 19:06 Lusito

On demand cleaning (or cleaning on startup) has the ability to clear all indexedDB storage.

Joel889 avatar Jun 22 '18 02:06 Joel889

I checked the cleaning on startup but it doesn't work for me. if I change volume of a youtube video it will be kept after closing all youtube instances and restarting firefox. I have suspected this for some time as youtube would change the recommended video based on my past viewing history and I think it uses indexDB or site storage (I am not a developer so I cant check both).

I don't know of a way to check a website storage content without opening that site and using storage inspector in firefox. So I cant track it but I can check before and after restart of firefox to see if the youtube volume is kept so I can be sure other stuff is kept too (except cookies but it seems youtube no longer uses cookies for not logged in users, and uses localstorage to track me.

UPDATE: even using clean now from the extension doesnt do anything other than deleting cookies as the develpoer seems to be saying (but why keep the option that would confuse the user and doesnt do anything then?).

firefox has a way of deleting only the website data that you want to delete by clicking on the info icon on URL bar and selecting "clear cookies and website data". it shows the domains that their data will be cleared and will actually do it.

a suggestion: maybe remove the useless option about the local storage and indexdb until the addon actually can delete them, so that users are not ignorant of the security issue that is still present and can track them.

by the way , many websites are using cookies less and less because http is stateless and cookies are sent with every request and that would use more bandwidth and is wasteful. so it is necessary to know that the indexDB and localstorage and also web-workers are the new cookies that can and will track you.

rezad1393 avatar Oct 01 '18 16:10 rezad1393

@rezad1393 well said, the extension falsely lead me to believe it could remove local storage and sw on shutdown... etc, however I had to enable firefox to do this by clearing "offline website data" on shutdown, this is the only solution I could find. (update, apparently site bleach found a way around the webapi to delete localstorage, SW and the DB upon reloading a domain... storage is deleted upon revisiting a domain (as opposed to closing the domain tab)) @Lusito I encourage you to do your best to help firefox improve their API's. Maybe a piece of software that must be installed separately that automates the clearing of storage on every tab change will get mozillas attention. Their API is definitely lacking. Any links and resources to discussion about this on their forums and bug reports would be appreciated, please include them here.

rugabunda avatar Aug 28 '19 01:08 rugabunda

It seems there is a bit of misunderstanding here. There is currently no option in FMN that is useless. All options do something. There are just limitations on what they can do and as such, these rules downgrade accordingly.

Let's have a look at Cookies, LocalStorage and IndexedDB on a page that has "instantly" (blacklist) configured as its rule:

The "instantly" (blocking) rule can only block things if they are blockable. What this means in effect:

  • Cookies can be blocked
    • they are affected by this rule as promised.
  • Local Storage and IndexedDB (and others) can't be blocked.
    • The rule will act as if it is an "on leave" rule.
  • Local Storage can be cleaned on domain leave.
    • It is affected by this rule as promised.
  • IndexedDB, however, can't be cleaned per domain (i.e. all or nothing). So it can't be cleaned on domain leave.
    • The rule will act as it is an "on startup" rule.

So when will Cookies, Local Storage and IndexedDB be cleaned?

  • Instantly: if you checked the respective "Instantly" checkboxes in the settings->cleanup panel.
    • Only cookies
  • On Domain leave if you checked the respective "On Domain leave" checkboxes in the settings->cleanup panel.
    • Cookies and Local Storage.
    • Beware: There may be no other page or iframe open with that domain. I.e. if you have two tabs, one that has youtube open and one that has a youtube video embedded, closing the youtube tab won't clear anything.
  • On Startup if you checked the respective "On Startup" checkboxes in the settings->cleanup
    • Cookies, Local Storage and IndexedDB.
    • Beware: If Firefox starts up with a youtube tab (for example if you chose to restore firefox tabs), then youtube won't get cleaned.

I hope this clears it up a bit.

A separate piece of software would:

  • be a lot of extra work, as it is OS specific. I.e. I'd have to do make it work on Unix, Windows, Mac and Android.
  • probably not be installed by most users (it would have to be installed manually)
  • not put a dent in mozillas conscience
  • probably not even be able to do these things without breaking other things.

Lusito avatar Aug 28 '19 17:08 Lusito

I will read the above soon, (update, apparently site bleach found a way around the webapi where storage is deleted upon revisiting a domain (as opposed to closing the domain tab) https://addons.mozilla.org/en-US/firefox/addon/site-bleacher as is discussed here... https://github.com/ghacksuserjs/ghacks-user.js/issues/776#issuecomment-525513930

this includes cookies, local storages, IndexedDBs, service workers, cache storages, filesystems and webSQLs; the latter three aren't supported in firefox apparently,. https://github.com/wooque/site-bleacher/issues/5#issuecomment-489257365

rugabunda avatar Aug 29 '19 04:08 rugabunda

@Lusito Well it looks like localdb numeration is soon to be implemented https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/browsingData/RemovalOptions

rugabunda avatar Aug 30 '19 03:08 rugabunda

That really sucks that localdb and indexdb cannot be blocked by extensions. I thought this was possible. I encourage all of you to lobby mozilla to add such functionality... this is a huge limitation in the api and anti competitive; all firefox has to do is allow addons to utilize firefox inbuilt data management systems, I would presume.

rugabunda avatar Aug 30 '19 03:08 rugabunda

@rugabunda Site-Bleacher can do that on chrome, as chrome seems to support it: https://developer.chrome.com/extensions/browsingData#specific_origins But on Firefox it will clear IndexedDB from ALL domains. Firefox doesn't support cleaning IndexedDB per-domain.

Quote From Mozilla

This property only applies to cookies and local storage items. Only remove cookies and local storage items which are associated with these hostnames.

You added the wrong link about the indexedDB enumeration btw: https://bugzilla.mozilla.org/show_bug.cgi?id=934640

Enumerating the databases would allow to remove the databases, but only when the page is currently active. This is not a good solution, as the webpage could in the same moment recreate the databases.

A better solution would be to support hostnames in the browsingData.remove() function. There is a ticket for that here: https://bugzilla.mozilla.org/show_bug.cgi?id=1551301

Lusito avatar Aug 30 '19 16:08 Lusito

Thank you very much I have passed on the relevant info to others who can make this happen.

rugabunda avatar Sep 01 '19 09:09 rugabunda