Firefox extensions cannot securely clear browsing data
While I was working on Clear Browsing Data I have learned about several browser bugs that may render some Firefox extensions that focus on user privacy unreliable.
The browsingData API in Firefox does not properly remove data, enabling sites to track users that rely on extensions to clear browsing data. Removing certain data types can also lead to side effects and data loss.
Data saved with the Cache API is not cleared
The browser stores downloaded assets internally when caching is enabled, and the Cache API is used by web pages and service workers for better control over caching.
Browser extensions may delete cached data with browsingData.removeCache().
browser.browsingData.removeCache({})
However, this function only removes assets from the browser’s internal cache, leaving data stored using the Cache API available for future retrieval. This enables tracking users across browser sessions in Firefox.
window.caches.keys().then(keys => {
const [user] = keys.filter(key => key.startsWith('user:'));
if (user) {
console.log('returning visitor:', user.substring(5));
} else {
console.log('saving new visitor');
window.caches.open('user:id');
}
});
The bug is currently tracked at #1526246.
HTTP authentication cache is not cleared
One of the easiest ways to restrict access to web services is to use HTTP Authentication. The browser shows an authentication dialog and caches the submitted username and password to authorize future requests. This cache is discarded when the browser is closed.
Certain extensions make it possible to forget cookies and authentication data when users navigate away from a page or close a tab.
browser.browsingData.removeCookies({hostnames: ['example.com']})
There is no dedicated interface for clearing the HTTP authentication cache in any of the major browsers, though Chrome respects user intent by clearing this cache when cookies or passwords are deleted.
Firefox does not clear the HTTP authentication cache when
the browsingData.removeCookies() or browsingData.removePasswords()
function is called, allowing sites to track previously logged in
users until the browser is closed.
Downloads from previous browser sessions are not removed
Extensions can delete the list of downloaded files by calling
the browsingData.removeDownloads() API.
browser.browsingData.removeDownloads({})
Records of files downloaded during past browser sessions are not removed, leaving the data free to be viewed in the Library (Shift+Ctrl+Y).
The bug is currently tracked at #1380445.
Clearing certain data types leads to data loss
The goal of the browsingData API is to give granular control over the data types users wish to clear. While the design of the API is sound, its implementation in Firefox appears to be bolted over legacy services that were not designed to allow for granular data management.
This results in side effects and data loss, such as:
- Clearing cookies also clears local storage
- Deleting the history also removes downloads and service workers
- Service workers and indexedDB are cleared entirely, while the requested time interval is silently ignored
There is a recent effort to rearchitect the internals of the browsingData API in Firefox, you can give feedback and contribute at #1531276.
This post and my open source projects are made possible thanks to the support of awesome backers. If you’d like to join them, please consider contributing with Patreon, PayPal or Bitcoin.