207545 2020-02-11 06:44:49 -0800 Blocking Access to LocalStorage and SessionStorage for specific web-sites or for all websites doesn't work 100% of the time 2024-07-09 07:23:20 -0700 1 1 1 Unclassified WebKit WebKit API WebKit Nightly Build iPhone / iPad All NEW InRadar P2 Enhancement --- 1 bthomas webkit-unassigned achristensen appledeveloper beidson krzysztof.modras mjs webkit-bug-importer oldest_to_newest 1617362 0 bthomas 2020-02-11 06:44:49 -0800 In order to block LocalStorage access or SessionStorage, developers need to inject some Javascript like like: ``` var localStorage = Object.getOwnPropertyDescriptor(window, 'localStorage'); if (localStorage) { Object.defineProperty(window, 'localStorage', { get: function() { console.error("Local Storage Blocked") return null; }, }); } var sessionStorage = Object.getOwnPropertyDescriptor(window, 'sessionStorage'); if (sessionStorage) { Object.defineProperty(window, 'sessionStorage', { get: function() { console.error("Session Storage Blocked") return null; }, }); } ``` There should be a simpler way to deny a website or anything access to the storage. Currently, there is none. 1617422 1 ap 2020-02-11 09:23:58 -0800 Thank you for the report! The title says "... doesn't work 100% of the time", can you elaborate on that? 1617423 2 webkit-bug-importer 2020-02-11 09:24:11 -0800 <rdar://problem/59350812> 1620583 3 mjs 2020-02-19 02:24:52 -0800 If you add the cited script as WKUserScript using a WKUserContentController, it should be guaranteed to run before the page does anything. Using `evaluateJavaScript:` and friends instead would race with page loading. Is there any other way in which the JS solution is not adequate? 2045301 4 bthomas 2024-07-09 07:23:20 -0700 The problem is the page can grab the `localStorage` variable from an iFrame. Example, if you inject the above script into the MAIN frame, but not all frames, then the following is possible: ``` var localStorage = document.querySelector('iframe').contentWindow.localStorage; // Use localStorage to set values ``` This bypass currently works even on iOS 17. So even though you've blocked local storage for the main-frame, the main-frame can still access local storage via a secondary frame.