what are "current" cookies and localStorage items?

[practik]

Hi ysard, I just updated to 0.3rc4, thanks for the update!

The menu now offers options to delete "current cookies" and "current localStorage." Can you tell me more about what that means?

I would guess that "current" means "for the current browsing context" – but if that's what it is, then the information on the menu doesn't match the information in the full CQM interface and/or in Firefox's Storage Inspector.

For example, on the Github tab where I'm typing this right now, the menu says:

• Delete current cookies (0)
• Delete current localStorage (3)

But CQM shows 5 cookies for github.com and 3 for .github.com. And if I check the Storage Inspector, it shows the same 8 cookies but no localStorage items. So … I'm confused. Can you explain?

[ysard]

Hi practik, indeed the option is actually not accompanied by explanations for the moment :p

The LocalStorage is a quite new feature of HTML5 that allows developers to create data in your device using JavaScript. Cookies are just one type of storage, but now, there are others...
You will also find "SessionStorage", a LocalStorage where data is stored temporarily (deleted on browser restart), but the important thing is that LocalStorage is persistent, and cleared only at the discretion of the visited websites.
You may erase them by clicking on "Cookies and Site Data" in your browser's preferences, See the documentation of Firefox, and by selecting "Offline Website Data".

From the point of view of privacy and security:

This kind of persistant data (even after clearing cache), was invented to store small data allowing the operation of online applications, but offers new and better ways of tracking.
Moreover, LocalStorage wasn't designed to be used as a secure storage mechanism.

Thus, any third party JavaScript library that runs on a website can access to the LocalStorage of the current page and read data stored by another domain on this same page: that is not possible with cookies which are mostly not cross domain. This offers a more accurate way to track users.

And, if any third party library is compromised and their minified.js script gets altered, this can cause significant data leaks, especially since websites store private or identifying data...

Development problems:

• LocalStorage doesn't have as size constraints as cookies: LocalStorage provides at least 5MB of storage,
• there is no API like for cookies to query all key/values stored in the browser,
• the only way to show the data is to inject basic JS code in the currently viewed page and send the result to an addon.

These points make today effectively support this feature is difficult, but it is impossible in my opinion to let the public ignore that this technology is replacing cookies invisibly (on which all the attention is focused), and that it is much more dangerous than them.

Links:
https://www.w3schools.com/html/html5_webstorage.asp
https://dev.to/rdegges/please-stop-using-local-storage-1i04

---

To answer your questions:

• The word "current" on the menu means that what is displayed concerns only the page viewed.
  Can I make more clear while respecting the constraints of space in this menu?

• LocalStorage cookies are not displayed in the CQM interface among conventional cookies.

• In your example, you actually have 8 conventional cookies created for github and its domains + 3 keys in the LocalStorage.
  The bad counting of cookies is a bug, probably due to the activation or not of the FirstPartyIsolation option.
  That should disappear with the version 62 of Firefox but I will look at the problem.

[practik]

Thanks for the information!

About the wording: I think "current" is probably OK. I did understand it as you intended it to be understood; I was only uncertain because the numbers in the menu don't match the numbers in the full CQM interface.

If you get more questions about "current," you could also consider "Delete cookies for this page (0)," which is just a little longer.

About the example: Just to clarify: The CQM menu shows 3 localStorage items, but the Firefox Storage Inspector shows 0 – which is correct?

And I should have mentioned that I do have FPI enabled, in case that helps you investigate the bad cookie counting.

[ysard]

Thank you for the wording, I keep it if ever the question reappears :)

About the example: The CQM menu shows 3 localStorage items, but the Firefox Storage Inspector shows 0 - which is correct?

Firefox Storage Inspector is wrong :p
My current profile does not even allow me to display conventional cookies on this tool, however with another development profile everything is here: the conventional ones and keys/values of the LocalStorage.
This tool seems pretty unstable for that; Or is it the LocalStorage/IndexedDB system that it seems easy to completely crash at the scale of addons AND websites that use it...

And I should have mentioned that I do have FPI enabled, in case that helps you investigate the bad cookie counting.

Ok, a mix of FPI/non FPI cookies are problematic in the menu, i will try to fix that.

[practik]

Firefox Storage Inspector is wrong :p

So CQM shows cookies and localStorage items that are missed by Firefox's built-in tools? Nice! You might want to mention that in the description, here and on AMO – it seems like a very useful feature.

[ysard]

Let's say that I thought I had broken something in my profile causing the loss of display of storage data in this tool; but apparently I'm not the only one.
I will see if I have time to report the bug but I have no idea what is the origin of this problem.

[ysard]

Hi, can you please also confirm that there is no more counting problem under FF62?
So I could close #23

[practik]

Because of the bug we discussed above, I can't say whether the localStorage counts are accurate or not. But the menu cookie counts all match the counts in the main interface. I tested on a few different sites.

[practik]

One other thing I noticed: For pages with no localStorage, the menu shows a count of zero:

• Delete current localStorage (0)

But for pages like about:addons, and also for domains that are blocked (in my Firefox preferences) from setting any cookies or site data, the menu shows no count:

• Delete current localStorage

Is this intentional? Why not show a zero for those pages too?

[ysard]

Ok thank you.

Why not show a zero for those pages too?

To count LocalStorage keys I need to inject a script into the page. But about:addons/AMO is one of the protected pages where i can't do this kind of action.
Maybe I should remove the option on this type of pages.

[practik]

To count LocalStorage keys I need to inject a script into the page

That makes sense for protected pages, but why is there no count for domains that are blocked from setting cookies and site data?