Firefox extensions APIs fail to completely clear browsing data

While I was working on Clear Browsing Data I’ve learned about several browser bugs that may render some Firefox extensions that focus on user privacy unreliable.

The browsingData API in Firefox doesn’t properly remove data, enabling sites to track users that rely on extensions to clear browsing data. Removing certain data types can also lead to side effects and data loss.

Data saved with the Cache API isn’t cleared

The browser stores downloaded assets internally when caching is enabled, and the Cache API is used by webpages and service workers for better control over caching.

Browser extensions may delete cached data with browsingData.removeCache().

browser.browsingData.removeCache({})

However, this function only removes assets from the browser’s internal cache, leaving data stored using the Cache API available for future retrieval. This enables tracking users across browser sessions in Firefox.

window.caches.keys().then(keys => {
  const [user] = keys.filter(key => key.startsWith('user:'));
  if (user) {
    console.log('returning visitor:', user.substring(5));
  } else {
    console.log('saving new visitor');
    window.caches.open('user:id');
  }
});

The bug is currently tracked at #1526246.

HTTP authentication cache isn’t cleared

One of the easiest ways to restrict access to web services is to use HTTP Authentication. The browser shows an authentication dialog and caches the submitted username and password to authorize future requests. This cache is discarded when the browser is closed.

Certain extensions make it possible to forget cookies and authentication data when users navigate away from a page or close a tab.

browser.browsingData.removeCookies({hostnames: ['example.com']})

There’s no dedicated interface for clearing the HTTP authentication cache in any of the major browsers, though Chrome respects user intent by clearing this cache when cookies or passwords are deleted.

Firefox doesn’t clear the HTTP authentication cache when the browsingData.removeCookies() or browsingData.removePasswords() function is called, allowing sites to track previously logged in users until the browser is closed.

Downloads from previous browser sessions aren’t removed

Extensions can delete the list of downloaded files by calling the browsingData.removeDownloads() API.

browser.browsingData.removeDownloads({})

Records of files downloaded during past browser sessions aren’t removed, leaving the data free to be viewed in the Library (Shift+Ctrl+Y).

The bug is currently tracked at #1380445.

Clearing certain data types leads to data loss

The goal of the browsingData API is to give granular control over the data types users wish to clear. While the design of the API is sound, its implementation in Firefox appears to be bolted over legacy services that were not designed to allow for granular data management.

This results in side effects and data loss, such as:

  • Clearing cookies also clears local storage
  • Deleting the history also removes downloads and service workers
  • Service workers and indexedDB are cleared entirely, while the requested time interval is silently ignored

There’s a recent effort to rearchitect the internals of the browsingData API in Firefox, you can give feedback and contribute at #1531276.