Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add lifetime storage settings for indexDB / localStorage #4438

Open
pes10k opened this issue May 14, 2019 · 3 comments
Open

Add lifetime storage settings for indexDB / localStorage #4438

pes10k opened this issue May 14, 2019 · 3 comments
Labels
privacy privacy-pod Feature work for the Privacy & Web Compatibility pod

Comments

@pes10k
Copy link
Contributor

pes10k commented May 14, 2019

We currently set a max lifetime of 7 days for JS set cookies. It would be good to add some similar lifetime-ing of other JS-set storage (i.e. localStorage, indexDB).

Might also make sense to key off of whether the JS is 1p or 3p (not the frame / context, but the JS code source)

@pes10k pes10k added privacy privacy/feature User-facing privacy- & security-focused feature work. privacy/tracking Preventing sites from tracking users across the web labels May 14, 2019
@rebron rebron added this to Untriaged Backlog in Security & Privacy via automation May 24, 2019
@tomlowenthal tomlowenthal added privacy-pod Feature work for the Privacy & Web Compatibility pod and removed privacy/feature User-facing privacy- & security-focused feature work. privacy/tracking Preventing sites from tracking users across the web labels Feb 12, 2020
@fmarier
Copy link
Member

fmarier commented Mar 24, 2020

The latest version of ITP does the following:

Now ITP has aligned the remaining script-writable storage forms with the existing client-side cookie restriction, deleting all of a website’s script-writable storage after seven days of Safari use without user interaction on the site. These are the script-writable storage forms affected (excluding some legacy website data types):

  • Indexed DB
  • LocalStorage
  • Media keys
  • SessionStorage
  • Service Worker registrations

@pes10k
Copy link
Contributor Author

pes10k commented Mar 24, 2020

Just adding (bc i couldn't tease it out from the blog post), Safari now does this for all sites, not just ITP-labeled domains.

Also, interesting implementation detail, 3p w/o storage access don't get a timer (e.g. seeing the same 3p on the same 1p doesnt' reset the timer for the 3p's storage)

@fmarier fmarier moved this from Untriaged Backlog to P3, P4, & P5 Backlog in Security & Privacy Jul 10, 2020
@fmarier fmarier removed this from P3, P4 Backlog in Security & Privacy Aug 18, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
privacy privacy-pod Feature work for the Privacy & Web Compatibility pod
Projects
None yet
Development

No branches or pull requests

3 participants