Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Privacy Badger allows tracking via indexedDB #1557

Open
cowlicks opened this issue Aug 4, 2017 · 4 comments
Open

Privacy Badger allows tracking via indexedDB #1557

cowlicks opened this issue Aug 4, 2017 · 4 comments
Labels
enhancement heuristic Badger's core learning-what-to-block functionality privacy General privacy issues; stuff that isn't about Privacy Badger's heuristic yellowlist Domains on this list are allowed but with restrictions: no referrer headers or cookies/localStorage

Comments

@cowlicks
Copy link
Contributor

cowlicks commented Aug 4, 2017
edited
Loading

indexedDB is a known tracking vector that is used by evercookie.

From my comment here.

indexedDB is a potential vector for tracking. For example if a 3rd party iframe is loaded on a site, that 3rd party can write some unique value to indexedDB. The next time that 3rd party origin is loaded it can check the indexedDB for the value, and use it to uniquely identify the client.

This situation necessitates a way for clients to inspect indexedDB on some origin for its database names so that privacy compromising information can be deleted.

The api for enumerating database names has been removed. This means clients have no way of inspecting indexedDB on an origin without catching the origin accessing it. This can be done with a content script.
@ghostwords ghostwords added heuristic Badger's core learning-what-to-block functionality privacy General privacy issues; stuff that isn't about Privacy Badger's heuristic labels Aug 4, 2017
@ghostwords
Copy link
Member

Potential use of indexedDB in the wild here: #1554 (comment)
@jawz101
Copy link
Contributor

jawz101 commented Aug 9, 2017

I don't know if this is relevant but sometimes I play with this FFox add-on Privacy Settings and one thing - maybe the only thing- I've noticed is the LastPass add-on won't save autologin credentials with dom.indexedDB.enabled set to false.
@ghostwords ghostwords mentioned this issue Mar 23, 2018
Merged
@ghostwords
Copy link
Member

Opened a crbug re inability to inspect IndexedDB contents in Chrome settings/dev tools: https://bugs.chromium.org/p/chromium/issues/detail?id=930773
@ghostwords ghostwords added the yellowlist Domains on this list are allowed but with restrictions: no referrer headers or cookies/localStorage label Aug 27, 2019
@ghostwords
Copy link
Member

This is also an omission for yellowlisted domains. From https://developer.mozilla.org/en-US/docs/Mozilla/Firefox/Privacy/Storage_access_policy#What_does_the_storage_access_policy_block:

IndexedDB: read and write attempts throw a SecurityError exception.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement heuristic Badger's core learning-what-to-block functionality privacy General privacy issues; stuff that isn't about Privacy Badger's heuristic yellowlist Domains on this list are allowed but with restrictions: no referrer headers or cookies/localStorage
3 participants
@cowlicks @ghostwords @jawz101