I recently stumbled over a subtle interaction between cookie policies and localStorage
in Firefox. Herewith, I document it for anyone who might run into the same problem (all four of you) as well as for you JS developers who are using, or thinking about using, locally stored data. Also, there’s a Bugzilla report, so either it’ll get fixed and then this won’t be a problem or else it will get resolved WONTFIX and I’ll have to figure out what to do next.
The basic problem is, every newfangled “try code out for yourself” site I hit is just failing in Firefox 11 and 12. Dabblet, for example, just returns a big blank page with the toolbar across the top, and none of the top-right buttons work except for the Help (“?”) button. And I write all that in the present tense because the problem still exists as I write this.
What’s happening is that any attempt to access localStorage
, whether writing or reading, returns a security error. Here’s an anonymized example from Firefox’s error console:
Error: uncaught exception: [Exception... "Security error" code: "1000" nsresult: "0x805303e8 (NS_ERROR_DOM_SECURITY_ERR)" location: "http://example.com/code.js Line: 666"]
When you go to line 666, you discover it refers to localStorage
. Usually it’s a write attempt, but reading gets you the same error.
But here’s the thing: it only does this if your browser preferences are set so that, when it comes to accepting cookies, the “Keep until:” option is set to “ask me every time”. If you change that to either of the other two options, then localStorage
can be written and read without incident. No security errors. Switch it back to “ask me every time”, and the security errors come back.
Just to cover all the bases regarding my configuration:
- Firefox is not in Private Browsing mode.
dom.storage.default_quota
is 5120
.
dom.storage.enabled
is true
.
Also: yes, I have my cookie policy set that way on purpose. It might not work for you, but it definitely works for me. “Just change your cookie policy” is the new “use a different browser” (which is the new “get a better OS”) and it ain’t gonna fly here.
To my way of thinking, this behavior doesn’t conform to step one of 4.3 The localStorage
attribute, which states:
The user agent may throw a SecurityError
exception instead of returning a Storage
object if the request violates a policy decision (e.g. if the user agent is configured to not allow the page to persist data).
I haven’t configured anything to not persist data — quite the opposite — and my policy decision is not to refuse cookies, it’s to ask me about expiration times so I can decide how I want a given cookie handled. It seems to me that, given my current preferences, Firefox ought to ask me if I want to accept local storage of data whenever a script tries to write to localStorage
. If that’s somehow impossible, then there should at least be a global preference for how I want to handle localStorage
actions.
Of course, that’s all true only if localStorage
data has expiration times. If it doesn’t, then I’ve already said I’ll accept cookies, even from third-party sites. I just want a say on their expiration times (or, if I choose, to deny the cookie through the dialog box; it’s an option). I’m not entirely clear on this, so if someone can point to hard information on whether localStorage
does or doesn’t time out, that would be fantastic. I did see:
User agents should expire data from the local storage areas only for security reasons or when requested to do so by the user.
…from the same section, which to me sounds like localStorage
doesn’t have expiration times, but maybe there’s another bit I haven’t seen that casts a new light on things. As always, tender application of the Clue-by-Four of Enlightenment is welcome.
Okay, so the point of all this: if you’re getting localStorage
failures in Firefox, check your cookies expiration policy. If that’s the problem, then at least you know how to fix it — or, as in my case, why you’ll continue to have localStorage
problems for the next little while. Furthermore, if you’re writing JS that interacts with localStorage
or a similar local-data technology, please make sure you’re looking for security exceptions and other errors, and planning appropriate fallbacks.