Please disable DOM localStorage and DOM sessionStorage (supercookies) if you can #63
Comments
|
These should already be disabled by trying hidden WebKit flags (not sure if these do anything anymore): and then injecting Javascript into the beginning of HTML/Javascript downloaded that redefines the global functions that other Javascript would need to use storage: |
|
Per @jcs comment, I've done everything I can to disable these features. Unfortunately, it does look like the browser ignores that preference (I think it used to work in earlier versions of iOS — and it seems to work in the current version of the simulator). Interestingly, this evercookie test fails http://samy.pl/evercookie/ but other tests just for localstorage/sessionstorage http://dev-test.nemikor.com/web-storage/support-test/ does show that the value is being written. If you press "New Identity" or when you force-quit Onion Browser (or if it crashes) and you start it up again, the app will clear all local data. It's known that HTML5 storage and local databases are stored in the Testing this by setting "Allow All Active Content" (which takes away the JavaScript injection to overwrite global functions) and using the samy.pl test, you will get the "evercookie" set; then pressing "New Identity" properly wipes the value from all mechanisms on that test. So unfortunately, because we actually don’t have direct access to WebKit (only the APIs given to us in UIWebView & associated controllers), any blocking code the app provides is disadvantaged and can always be pre-empted by the OS and the framework. But the app does purge the data when it can (starting a new session of the app) and when the user prompts, which is maybe the best we can do without a chance of side effects (i.e. clearing the |
No description provided.
The text was updated successfully, but these errors were encountered: