Bug 207545 - Blocking Access to LocalStorage and SessionStorage for specific web-sites or for all websites doesn't work 100% of the time
Summary: Blocking Access to LocalStorage and SessionStorage for specific web-sites or ...
Status: NEW
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebKit API (show other bugs)
Version: WebKit Nightly Build
Hardware: iPhone / iPad All
: P2 Enhancement
Assignee: Nobody
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2020-02-11 06:44 PST by Brandon
Modified: 2020-02-19 02:24 PST (History)
5 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Brandon 2020-02-11 06:44:49 PST 
In order to block LocalStorage access or SessionStorage, developers need to inject some Javascript like like:
```
var localStorage = Object.getOwnPropertyDescriptor(window, 'localStorage');
if (localStorage) {
    Object.defineProperty(window, 'localStorage', {
        get: function() {
            console.error("Local Storage Blocked")
            return null;
        },
    });
}

var sessionStorage = Object.getOwnPropertyDescriptor(window, 'sessionStorage');
if (sessionStorage) {
    Object.defineProperty(window, 'sessionStorage', {
        get: function() {
            console.error("Session Storage Blocked")
            return null;
        },
    });
}
```

There should be a simpler way to deny a website or anything access to the storage. Currently, there is none.
Comment 1 Alexey Proskuryakov 2020-02-11 09:23:58 PST 
Thank you for the report!

The title says "... doesn't work 100% of the time", can you elaborate on that?
Comment 2 Radar WebKit Bug Importer 2020-02-11 09:24:11 PST 
<rdar://problem/59350812>
Comment 3 Maciej Stachowiak 2020-02-19 02:24:52 PST 
If you add the cited script as WKUserScript using a WKUserContentController, it should be guaranteed to run before the page does anything. Using `evaluateJavaScript:` and friends instead would race with page loading.

Is there any other way in which the JS solution is not adequate?