I recently stumbled over a subtle interaction between cookie policies and
localStorage in Firefox. Herewith, I document it for anyone who might run into the same problem (all four of you) as well as for you JS developers who are using, or thinking about using, locally stored data. Also, there’s a Bugzilla report, so either it’ll get fixed and then this won’t be a problem or else it will get resolved WONTFIX and I’ll have to figure out what to do next.
The basic problem is, every newfangled “try code out for yourself” site I hit is just failing in Firefox 11 and 12. Dabblet, for example, just returns a big blank page with the toolbar across the top, and none of the top-right buttons work except for the Help (“?”) button. And I write all that in the present tense because the problem still exists as I write this.
What’s happening is that any attempt to access
localStorage, whether writing or reading, returns a security error. Here’s an anonymized example from Firefox’s error console:
Error: uncaught exception: [Exception... "Security error" code: "1000" nsresult: "0x805303e8 (NS_ERROR_DOM_SECURITY_ERR)" location: "http://example.com/code.js Line: 666"]
When you go to line 666, you discover it refers to
localStorage. Usually it’s a write attempt, but reading gets you the same error.
But here’s the thing: it only does this if your browser preferences are set so that, when it comes to accepting cookies, the “Keep until:” option is set to “ask me every time”. If you change that to either of the other two options, then
localStorage can be written and read without incident. No security errors. Switch it back to “ask me every time”, and the security errors come back.
Just to cover all the bases regarding my configuration:
- Firefox is not in Private Browsing mode.
To my way of thinking, this behavior doesn’t conform to step one of 4.3 The
localStorage attribute, which states:
The user agent may throw a
SecurityError exception instead of returning a
Storage object if the request violates a policy decision (e.g. if the user agent is configured to not allow the page to persist data).
localStorage. If that’s somehow impossible, then there should at least be a global preference for how I want to handle
Of course, that’s all true only if
localStorage data has expiration times. If it doesn’t, then I’ve already said I’ll accept cookies, even from third-party sites. I just want a say on their expiration times (or, if I choose, to deny the cookie through the dialog box; it’s an option). I’m not entirely clear on this, so if someone can point to hard information on whether
localStorage does or doesn’t time out, that would be fantastic. I did see:
User agents should expire data from the local storage areas only for security reasons or when requested to do so by the user.
…from the same section, which to me sounds like
localStorage doesn’t have expiration times, but maybe there’s another bit I haven’t seen that casts a new light on things. As always, tender application of the Clue-by-Four of Enlightenment is welcome.
Okay, so the point of all this: if you’re getting
localStorage failures in Firefox, check your cookies expiration policy. If that’s the problem, then at least you know how to fix it—or, as in my case, why you’ll continue to have
localStorage problems for the next little while. Furthermore, if you’re writing JS that interacts with
localStorage or a similar local-data technology, please make sure you’re looking for security exceptions and other errors, and planning appropriate fallbacks.