X
Tap here to go to the mobile version of the site.

Support Forum

How is "Site Data" entirely disabled ? (No site data allowed). The Firefox 57 documentation regarding "Site Data" is entirely incorrect.

Posted

How is "Site Data" entirely disabled ? (No site data allowed).

The Firefox 57 documentation regarding "Site Data" is incorrect. For example, at this link https://support.mozilla.org/en-US/kb/permission-store-data?as=u&utm_source=inproduct the documentation claims Firefox 'will ask' if a website can store data - but this never occurs. It never asks, and stores any amount of data.

Various combinatons of *storage* variable settings, *cache* variable settings have been tried, all to no avail. No matter what is set, Firefox 57 allows unfettered data to be written to the disk. "Disabling" storage management merely disables the GUI entry in Preferences, but not the actual writing of "Site Data".

Sites are now dumping quasi-executable code into these 'Site Data' locations. This amounts to unauthorized software installation on machines. Mozilla Firefox is allowing unauthorized application installation on user's machines.

How is so-called "Site Data" entirely disabled, so that no "Site Data" is written to user's machines ?

How is "Site Data" entirely disabled ? (No site data allowed). The Firefox 57 documentation regarding "Site Data" is incorrect. For example, at this link https://support.mozilla.org/en-US/kb/permission-store-data?as=u&utm_source=inproduct the documentation claims Firefox 'will ask' if a website can store data - but this never occurs. It never asks, and stores any amount of data. Various combinatons of *storage* variable settings, *cache* variable settings have been tried, all to no avail. No matter what is set, Firefox 57 allows unfettered data to be written to the disk. "Disabling" storage management merely disables the GUI entry in Preferences, but not the actual writing of "Site Data". Sites are now dumping quasi-executable code into these 'Site Data' locations. This amounts to unauthorized software installation on machines. Mozilla Firefox is allowing unauthorized application installation on user's machines. How is so-called "Site Data" entirely disabled, so that no "Site Data" is written to user's machines ?

Additional System Details

Application

  • User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:57.0) Gecko/20100101 Firefox/57.0

More Information

Shadow110 1072 solutions 14836 answers

uninstall Firefox. Then Delete the Mozilla Firefox Folders in C:\Program Files and C:\Program Files(x86) Then restart system. Then run Windows Disk Cleanup. Then run it again and click the button that says Cleanup System Files. Note: your Firefox Profile is saved. But you should make a back up before you do : https://support.mozilla.org/en-US/kb/back-and-restore-information-firefox-profiles

Reinstall with Current Release Firefox 57.0 with a Full Version Installer https://www.mozilla.org/firefox/all/

Please let us know if this solved your issue or if need further assistance.

uninstall Firefox. Then Delete the Mozilla Firefox Folders in C:\Program Files and C:\Program Files(x86) Then restart system. Then run Windows Disk Cleanup. Then run it again and click the button that says Cleanup System Files. Note: your Firefox Profile is saved. But you should make a back up before you do : https://support.mozilla.org/en-US/kb/back-and-restore-information-firefox-profiles Reinstall with Current Release Firefox 57.0 with a Full Version Installer https://www.mozilla.org/firefox/all/ Please let us know if this solved your issue or if need further assistance.
jscher2000
  • Top 10 Contributor
8763 solutions 71700 answers

3.2920 said

Sites are now dumping quasi-executable code into these 'Site Data' locations. This amounts to unauthorized software installation on machines. Mozilla Firefox is allowing unauthorized application installation on user's machines.

Could you give a link to a reference that explain the background for this concern?

Traditionally, localStorage and sessionStorage are like a vast cookie jar that accepts key:value pairs. I actually didn't know about files being stored in DOM storage. I wonder if that is more connected to HTML5 web apps that want to be able to run offline?

What preferences did you experiment with? Access to DOM storage is gated by the site's cookie permission, and is limited by the default quota. It can be disabled using a preference but some legitimate sites may break. There are separate preferences for offline storage.

(1) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button promising to be careful or accepting the risk.

(2) In the search box above the list, type or paste dom.s and pause while the list is filtered

(3) Double-click the dom.storage.default_quota preference and enter the desired value in kilobytes (default of 5120 is 5 MB).

(4) To totally disable DOM storage: Double-click the dom.storage.enabled preference to switch the value from true to false

(5) In the search box above the list, type or paste OFFL and pause while the list is filtered

(6) Double-click the offline-apps.quota.warn preference and enter the desired value -- this may be buggy

(7) To require preapproval for offline storage: Double-click the offline-apps.allow_by_default preferences to switch the value from true to false

''3.2920 [[#question-1188969|said]]'' <blockquote>Sites are now dumping quasi-executable code into these 'Site Data' locations. This amounts to unauthorized software installation on machines. Mozilla Firefox is allowing unauthorized application installation on user's machines. </blockquote> Could you give a link to a reference that explain the background for this concern? Traditionally, localStorage and sessionStorage are like a vast cookie jar that accepts key:value pairs. I actually didn't know about files being stored in DOM storage. I wonder if that is more connected to HTML5 web apps that want to be able to run offline? What preferences did you experiment with? Access to DOM storage is gated by the site's cookie permission, and is limited by the default quota. It can be disabled using a preference but some legitimate sites may break. There are separate preferences for offline storage. (1) In a new tab, type or paste '''about:config''' in the address bar and press Enter/Return. Click the button promising to be careful or accepting the risk. (2) In the search box above the list, type or paste '''dom.s''' and pause while the list is filtered (3) Double-click the '''dom.storage.default_quota''' preference and enter the desired value in kilobytes (default of 5120 is 5 MB). (4) '''To totally disable DOM storage:''' Double-click the '''dom.storage.enabled''' preference to switch the value from true to false (5) In the search box above the list, type or paste '''OFFL''' and pause while the list is filtered (6) Double-click the '''offline-apps.quota.warn''' preference and enter the desired value -- this may be buggy (7) '''To require preapproval for offline storage:''' Double-click the '''offline-apps.allow_by_default''' preferences to switch the value from true to false

Question owner

Pkshadow said

uninstall Firefox. Then Delete the Mozilla Firefox Folders in C:\Program Files and C:\Program Files(x86) Then restart system. Then run Windows Disk Cleanup. Then run it again and click the button that says Cleanup System Files. Note: your Firefox Profile is saved. But you should make a back up before you do : https://support.mozilla.org/en-US/kb/back-and-restore-information-firefox-profiles Reinstall with Current Release Firefox 57.0 with a Full Version Installer https://www.mozilla.org/firefox/all/ Please let us know if this solved your issue or if need further assistance.

My apologies, the system is OS x 10.10.

''Pkshadow [[#answer-1036466|said]]'' <blockquote> uninstall Firefox. Then Delete the Mozilla Firefox Folders in C:\Program Files and C:\Program Files(x86) Then restart system. Then run Windows Disk Cleanup. Then run it again and click the button that says Cleanup System Files. Note: your Firefox Profile is saved. But you should make a back up before you do : https://support.mozilla.org/en-US/kb/back-and-restore-information-firefox-profiles Reinstall with Current Release Firefox 57.0 with a Full Version Installer https://www.mozilla.org/firefox/all/ Please let us know if this solved your issue or if need further assistance. </blockquote> My apologies, the system is OS x 10.10.

Question owner

jscher2000 said

3.2920 said (3) Double-click the dom.storage.default_quota preference and enter the desired value in kilobytes (default of 5120 is 5 MB). (4) To totally disable DOM storage: Double-click the dom.storage.enabled preference to switch the value from true to false (5) In the search box above the list, type or paste OFFL and pause while the list is filtered (6) Double-click the offline-apps.quota.warn preference and enter the desired value -- this may be buggy (7) To require preapproval for offline storage: Double-click the offline-apps.allow_by_default preferences to switch the value from true to false

thx for the suggestions...

  1. 3 - tried this, did not prevent data. value set to 1, then 0
  2. 4 - tried this several times. this prevents the "site data" gui from showing in the Preferences->Privacy section, but data gets written anyway. the setting only prevents being the user from knowing about the data, which is probably not the intent.
  3. 6 - tried this. no warnings given at all, no matter what the value.
  4. 7 - tried this. does not work, regardless of setting the browser allows any amount of data be written, by any site, with no warning and no opportunity to reject.
''jscher2000 [[#answer-1036485|said]]'' <blockquote> ''3.2920 [[#question-1188969|said]]'' (3) Double-click the '''dom.storage.default_quota''' preference and enter the desired value in kilobytes (default of 5120 is 5 MB). (4) '''To totally disable DOM storage:''' Double-click the '''dom.storage.enabled''' preference to switch the value from true to false (5) In the search box above the list, type or paste '''OFFL''' and pause while the list is filtered (6) Double-click the '''offline-apps.quota.warn''' preference and enter the desired value -- this may be buggy (7) '''To require preapproval for offline storage:''' Double-click the '''offline-apps.allow_by_default''' preferences to switch the value from true to false </blockquote> thx for the suggestions... #3 - tried this, did not prevent data. value set to 1, then 0 #4 - tried this several times. this prevents the "site data" gui from showing in the Preferences->Privacy section, but data gets written anyway. the setting only prevents being the user from knowing about the data, which is probably not the intent. #6 - tried this. no warnings given at all, no matter what the value. #7 - tried this. does not work, regardless of setting the browser allows any amount of data be written, by any site, with no warning and no opportunity to reject.
jscher2000
  • Top 10 Contributor
8763 solutions 71700 answers

Hi 3.2920, two follow-ups:

(1) Where is the data written?

(2) Are you using regular windows or private windows for your testing?

Hi 3.2920, two follow-ups: (1) Where is the data written? (2) Are you using regular windows or private windows for your testing?

Question owner

jscher2000 said

Hi 3.2920, two follow-ups: (1) Where is the data written? (2) Are you using regular windows or private windows for your testing?

(1) /Users/xxxx/Library/Application Support/Firefox/Profiles/4xxxxxx.default/storage/

(website specific directories here...)

(2) Regular Firefox windows, no private windows.

(3) Mac OSx 10.1010

''jscher2000 [[#answer-1037065|said]]'' <blockquote> Hi 3.2920, two follow-ups: (1) Where is the data written? (2) Are you using regular windows or private windows for your testing? </blockquote> (1) /Users/xxxx/Library/Application Support/Firefox/Profiles/4xxxxxx.default/storage/ (website specific directories here...) (2) Regular Firefox windows, no private windows. (3) Mac OSx 10.1010
jscher2000
  • Top 10 Contributor
8763 solutions 71700 answers

It's hard to tell what this data is.

I looked at [profile folder]\storage\default\https+++twitter.com\idb

(The idb folder is for IndexedDB data. If you disable IndexedDB in about:config by toggling dom.indexedDB.enabled, some extensions will break.)

05/14/2015 05:00 PM <DIR> 437107801ddma_ethyape.files 10/25/2015 07:37 PM <DIR> 4105791907cyalrndos__tkxeertn_e.files 02/18/2016 05:08 PM <DIR> 4185313131nsortoisfriucca_tnio.files 02/29/2016 11:56 AM <DIR> 1887877902cyalrndos__tkxeertn_e.files 02/29/2016 11:56 AM 49,152 1887877902cyalrndos__tkxeertn_e.sqlite 05/13/2016 06:05 PM 49,152 4185313131nsortoisfriucca_tnio.sqlite 11/07/2016 03:53 PM <DIR> 4110441544cyalrndos__tkxeertn_e.files 03/21/2017 03:09 PM 49,152 4105791907cyalrndos__tkxeertn_e.sqlite 06/26/2017 12:00 PM <DIR> 4022073352it.files 06/26/2017 12:00 PM 49,152 4022073352it.sqlite 08/23/2017 02:54 PM 49,152 4110441544cyalrndos__tkxeertn_e.sqlite 10/09/2017 05:57 PM 49,152 437107801ddma_ethyape.sqlite

I don't use Twitter that often. The folders (<DIR>) are empty; the databases have some structure but seemingly no recognizable data.

I wonder whether the data gets emptied out when I close Firefox, leaving empty shells? (I have my Twitter cookie permission set to session only.)

I deleted the whole folder and visited Twitter. The Storage panel of Developer Tools showed Local Storage data. On disk, there is a caches folder and a couple of metadata files. I can't tell where the Local Storage data is, or whether it is in this folder.

The idb folder was not reestablished on first visit. It might be created if I were to log in.

Maybe someone else can figure out what's in there, if anything.

It's hard to tell what this data is. I looked at [profile folder]\storage\default\https+++twitter''.''com\idb ''(The idb folder is for IndexedDB data. If you disable IndexedDB in about:config by toggling dom.indexedDB.enabled, some extensions will break.)'' <code>05/14/2015 05:00 PM <DIR> 437107801ddma_ethyape.files 10/25/2015 07:37 PM <DIR> 4105791907cyalrndos__tkxeertn_e.files 02/18/2016 05:08 PM <DIR> 4185313131nsortoisfriucca_tnio.files 02/29/2016 11:56 AM <DIR> 1887877902cyalrndos__tkxeertn_e.files 02/29/2016 11:56 AM 49,152 1887877902cyalrndos__tkxeertn_e.sqlite 05/13/2016 06:05 PM 49,152 4185313131nsortoisfriucca_tnio.sqlite 11/07/2016 03:53 PM <DIR> 4110441544cyalrndos__tkxeertn_e.files 03/21/2017 03:09 PM 49,152 4105791907cyalrndos__tkxeertn_e.sqlite 06/26/2017 12:00 PM <DIR> 4022073352it.files 06/26/2017 12:00 PM 49,152 4022073352it.sqlite 08/23/2017 02:54 PM 49,152 4110441544cyalrndos__tkxeertn_e.sqlite 10/09/2017 05:57 PM 49,152 437107801ddma_ethyape.sqlite</code> I don't use Twitter that often. The folders (<DIR>) are empty; the databases have some structure but seemingly no recognizable data. I wonder whether the data gets emptied out when I close Firefox, leaving empty shells? (I have my Twitter cookie permission set to session only.) I deleted the whole folder and visited Twitter. The Storage panel of Developer Tools showed Local Storage data. On disk, there is a caches folder and a couple of metadata files. I can't tell where the Local Storage data is, or whether it is in this folder. The idb folder was not reestablished on first visit. It might be created if I were to log in. Maybe someone else can figure out what's in there, if anything.

Question owner

At this point, have tried all suggestions from jscher2000 and Pkshadow, including complete de-install and removal of all previous Firefox user directories. After scratch re-install the issue is still asserting.

There seems to be no method of preventing unfettered "Site Data" from being written and accumulated.

Another pathology was seen late today. In addition to "Site Data" from a visited site (www.etcblahblah.com), an apparent third-party non-visited website "Site Data" folder is written in some cases. This seems analogous to "third party cookies".

This issue does seem like a fairly obvious security hole. No idea how to submit a bug ticket to Mozilla.

Will use Safari and wait for next bug release.

At this point, have tried all suggestions from jscher2000 and Pkshadow, including complete de-install and removal of all previous Firefox user directories. After scratch re-install the issue is still asserting. There seems to be no method of preventing unfettered "Site Data" from being written and accumulated. Another pathology was seen late today. In addition to "Site Data" from a visited site (www.etcblahblah.com), an apparent third-party non-visited website "Site Data" folder is written in some cases. This seems analogous to "third party cookies". This issue does seem like a fairly obvious security hole. No idea how to submit a bug ticket to Mozilla. Will use Safari and wait for next bug release.
AliceWyman
  • Moderator
240 solutions 2597 answers

3.2920 said

This issue does seem like a fairly obvious security hole. No idea how to submit a bug ticket to Mozilla.

See https://bugzilla.mozilla.org/ and https://developer.mozilla.org/en-US/docs/Mozilla/QA/Bug_writing_guidelines

3.2920 said

The Firefox 57 documentation regarding "Site Data" is incorrect.

See this reopened bug report: Bug 1313602 - Need "Learn More" page for persistent storage permission

Please observe Bugzilla Etiquette before commenting in bug reports.

''3.2920 [[#answer-1037528|said]]'' <blockquote> This issue does seem like a fairly obvious security hole. No idea how to submit a bug ticket to Mozilla. </blockquote> See https://bugzilla.mozilla.org/ and https://developer.mozilla.org/en-US/docs/Mozilla/QA/Bug_writing_guidelines ''3.2920 [[#question-1188969|said]]'' <blockquote> The Firefox 57 documentation regarding "Site Data" is incorrect. </blockquote> See this reopened bug report: [https://bugzilla.mozilla.org/show_bug.cgi?id=1313602 Bug 1313602] - Need "Learn More" page for persistent storage permission Please observe [https://bugzilla.mozilla.org/page.cgi?id=etiquette.html Bugzilla Etiquette] before commenting in bug reports.