search

cookie-status / cookie-status-dev

The cookiestatus.com website is a learning resource for the various tracking protection mechanisms implemented by the major browsers and browser engines.
https://www.cookiestatus.com/
MIT License
107 stars 7 forks source link

More details on "non-cookie storage" status for Safari #9

Closed abebis closed 4 years ago

abebis commented 4 years ago

Current status of "Other browser storage in 1st party context" for Safari is described as

Restricted to 7 days maximum storage on pages with URL decoration (query parameters or fragments) when referring domain is a known tracker.

It should be mentioned that it is 7 days after the last interaction (click, tap, text input). And (less known but more importantly) zero day (1 hour max) without any interaction with the domain.

WebKit blog

After seven days of Safari use without the user interacting with a webpage on website.example, all of website.example’s non-cookie website data is deleted.

In the blog article they don't talk explicitly about the immediate deletion for domains without interaction. I had to look at the code below and do some testing to confirm it.

WebKit source code 

bool ResourceLoadStatisticsMemoryStore::shouldRemoveAllButCookiesFor(ResourceLoadStatistics& resourceStatistic, bool shouldCheckForGrandfathering) const
{
   return resourceStatistic.gotLinkDecorationFromPrevalentResource && !hasHadUnexpiredRecentUserInteraction(resourceStatistic, OperatingDatesWindow::Short) && (!shouldCheckForGrandfathering \|\| !resourceStatistic.grandfathered);
}
bool ResourceLoadStatisticsMemoryStore::hasHadUnexpiredRecentUserInteraction(ResourceLoadStatistics& resourceStatistic, OperatingDatesWindow operatingDatesWindow) const
{
   if (resourceStatistic.hadUserInteraction && hasStatisticsExpired(resourceStatistic, operatingDatesWindow)) {
      // Drop privacy sensitive data because we no longer need it.
      // Set timestamp to 0 so that statistics merge will know
      // it has been reset as opposed to its default -1.
      resourceStatistic.mostRecentUserInteractionTime = { };
      resourceStatistic.storageAccessUnderTopFrameDomains.clear();
      resourceStatistic.hadUserInteraction = false;
   }
 
   return resourceStatistic.hadUserInteraction;
}
sahava commented 4 years ago

Thanks - could you give me repro steps how to test and verify the "immediate deletion" in Safari?

sahava commented 4 years ago

The first (user interaction clarification) is now fixed in 2f202238b84e59562ea7e424307b87a67335a1a6.

Thanks again!

abebis commented 4 years ago

Thanks for the fix! Here are the steps to reproduce the immediate deletion of Local Storage (tested with Safari 13.0.4 on MacOS 10.15.2).

(For step 7 and 8 replace "example.com" with "w3schools.com". sorry this is the first test page I found with a decorated link, outside of ads)

  1. In a terminal run the following command to mark "google.com" as prevalent for ITP $ defaults write com.apple.Safari ITPManualPrevalentResource google.com

  2. Open Safari

  3. From the History menu -> Clear History... -> Clear History

  4. In a terminal, output ITP debug log (keep it open until the last step) with $ log stream -info | grep ITPDebug

  5. In Safari Develop Menu -> Enable ITP Debug Mode You can see the following logs in the terminal of step 4 [com.apple.WebKit:ITPDebug] Turned ITP Debug Mode on. [com.apple.WebKit:ITPDebug] Did set google.com as prevalent resource for the purposes of ITP Debug Mode. [com.apple.WebKit:ITPDebug] About to block cookies in third-party contexts for: 3rdpartytestwebkit.org, google.com. [com.apple.WebKit:ITPDebug] Done updating cookie blocking.

  6. In Safari go to google.com, search for "example link decoration"

  7. In the top result click one of the example.com sitelinks that have query parameters, for example "Add different styles to hyperlinks"

  8. Once on the example.com page, wait (without clicking anything on the page) for a few (five?) seconds until you see the following ITP log, saying that it has deleted all but cookies (=Local Storage, cache, etc.) data for example.com [com.apple.WebKit:ITPDebug] About to remove data records for example.com(all but cookies), 3rdpartytestwebkit.org(all data) If you don't see the data removal log, go back to the google page result, restart safari, click the decorated link again and wait 5 seconds (sometimes the log appears right after restarting and enabling ITP debug log?). You need to re-enable the debug log after each Safari restart :/

Obviously it works also with search ads (they all have decorated LP urls) instead of example.com.

In real life you don't restart Safari very often and data removals only happen every hour (to save battery). You can add a test value in example.com's Local Storage to check that ITP does not lie and that Local Storage data was actually removed. Beware not to click on the page when playing with the web inspector though.

Hope it will work for you too 🙏

sahava commented 4 years ago

Thank you - excellent step-by-step, this is useful for testing other ITP stuff as well :) I managed to reproduce it, so I'll update the site ASAP.

Thank you again, you've been super helpful with your suggestions!

abebis commented 4 years ago

OK nice! I'm glad it helps! In fact I hadn't noticed until yesterday that data removal was happening so fast after a Safari restart. I thought it was at least 1 hour between two removals. 5 seconds lifetime for local storage seems a bit too strict. Wonder if it is intentional 👀

By the way this is similar to third-party tracking cookies in ITP1.0 that could be used "24h after the last interaction", which actually meant "zero hour" for most trackers (those with no user interaction).

abebis commented 4 years ago

Thank you for adding this to the detailed explanation page.

If there is no user interaction with the first-party site, this type of storage is expired within few seconds.

Closing!