Issue 357625 in chromium: localStorage Security Issue Cannot Use Polyfill

[chro...@googlecode.com]

Status: Unconfirmed
Owner: ----
Labels: Type-Bug Pri-2

New issue 357625 by bradley....@gmail.com: localStorage Security Issue
Cannot Use Polyfill
http://code.google.com/p/chromium/issues/detail?id=357625

Chrome Version : 33.0.1750.152 (Official Build 256984)

What steps will reproduce the problem?
1. Enable "Block third-party cookies and site data" on
chrome://settings/content
2. Put a page in an iframe (for example, an ad or Facebook Canvas
application)
3. Add a polyfill for localStorage

window.localStorage = {
_data : {},
setItem : function(id, val) { return this._data[id] = String(val); },
getItem : function(id) { return this._data.hasOwnProperty(id) ?
this._data[id] : undefined; },
removeItem : function(id) { return delete this._data[id]; },
clear : function() { return this._data = {}; }
};

4. Attempt to write to localStorage

What is the expected result?

That the polyfill will have over-ridden the blocked localStorage object and
will work correctly (as a local cache that is not persistent between page
loads).

What happens instead?

An exception is thrown: "Uncaught SecurityError: Failed to read
the 'localStorage' property from 'Window': Access is denied for this
document."

Please provide any additional information below. Attach a screenshot if
possible.

We run a Facebook application that uses localStorage to cache data between
page loads. We have discovered that some users (who have the "Block
third-party cookies and site data" setting enabled) are unable to load our
app.

Rather than having to wrap each individual call to localStorage with a
try/catch we would like to simply override the entire object and simply
have a non-persistent datastore so that our code can function the same way.

Unfortunately, Chrome throws an exception even after the localStorage
variable has been overwritten.

--
You received this message because this project is configured to send all
issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings

[chro...@googlecode.com]

Comment #1 on issue 357625 by j.chris....@gmail.com: localStorage Security

Issue Cannot Use Polyfill
http://code.google.com/p/chromium/issues/detail?id=357625

I can confirm that this occurs as stated, but additionally that adding an
exception to the site in question in the settings for 3rdPartyCookies was
insufficient - I had to disable 3rdPartyCookie blocking entirely.

[chro...@googlecode.com]

Comment #2 on issue 357625 by jkuhn...@gmail.com: localStorage Security
Issue Cannot Use Polyfill
https://code.google.com/p/chromium/issues/detail?id=357625

Yes, I also have been smitten by this bug. it has ruined my entire 10
minutes but I'll survive it somehow..

Version 40.0.2191.0 canary (64-bit))

Attachments:
Screen Shot 2014-10-17 at 1.38.21 PM.png 440 KB

[chro...@googlecode.com]

Comment #3 on issue 357625 by ism...@donmez.ws: localStorage Security Issue

Cannot Use Polyfill
https://code.google.com/p/chromium/issues/detail?id=357625

This exact problem happens while trying to use https://try.jupyter.org/

How to reproduce:

1. Open https://try.jupyter.org/
2. Open Javascript Console
3. See the error: "Uncaught SecurityError: Failed to read

the 'localStorage' property from 'Window': Access is denied for this
document."

This is with Chrome 42.0.2311.11 dev-m (64-bit), if I whitelist the
relevant cookies it works fine.

[chro...@googlecode.com]

Comment #4 on issue 357625 by ism...@donmez.ws: localStorage Security Issue

Cannot Use Polyfill
https://code.google.com/p/chromium/issues/detail?id=357625

This exact problem happens while trying to use https://try.jupyter.org/

How to reproduce:

1. Open https://try.jupyter.org/

2. Click "Welcome.ipynb"
3. Open Javascript Console
4. See the error: "Uncaught SecurityError: Failed to read

[chro...@googlecode.com]

Comment #5 on issue 357625 by jsb...@chromium.org: localStorage Security

Issue Cannot Use Polyfill
https://code.google.com/p/chromium/issues/detail?id=357625

The behavior is the same in Firefox. Simply assigning to
window.localStorage will not replace the property.

Try:

Object.defineProperty(window, 'localStorage', {value: /*your polyfill
here*/ });

[chro...@googlecode.com]

Updates:
Cc: ssamano...@chromium.org
Labels: Needs-Feedback

Comment #6 on issue 357625 by ssamano...@chromium.org: localStorage

Security Issue Cannot Use Polyfill
https://code.google.com/p/chromium/issues/detail?id=357625

Tested the issue on Windows 7 using latest stable 45.0.2454.101 with below
steps:

1. Open https://try.jupyter.org/
2. Click "Welcome.ipynb"
3. Open Javascript Console

4. Observed the error: "Uncaught SecurityError:Unexpected token &" in
console.

Please find attached screenshot and confirm if this is the issue.

bradley.dwyer@Could you please provide actual and expected behavior
screencast for further triage.

Attachments:
357625.png 211 KB

[chro...@googlecode.com]

Comment #7 on issue 357625 by adob...@gmail.com: localStorage Security

Issue Cannot Use Polyfill
https://code.google.com/p/chromium/issues/detail?id=357625

Throwing exceptions unfortunately causes breakage on many websites. I have
personally experienced this on http://eol.jsc.nasa.gov/HDEV/. This page
contains the live stream player inside an iframe. The iframe contains some
code to do feature checking, e.g. if (widnow.sesssionStorage) { ... } but
the code crashes with an exception:

Uncaught SecurityError: Failed to read the 'sessionStorage' property

from 'Window': Access is denied for this document.

Please do not throw exception on access to properties. Developers really
don't expect access to throw and this ends up breaking many pages.
Returning null should suffice.

[chro...@googlecode.com]

Updates:
Cc: rnimmaga...@chromium.org

Comment #10 on issue 357625 by rnimmaga...@chromium.org: localStorage

Security Issue Cannot Use Polyfill

https://code.google.com/p/chromium/issues/detail?id=357625

@bradley.dwyer: Would you mind replying as per comment #9 ?

Appreciate your help.

Thank you!

[chro...@googlecode.com]

Comment #11 on issue 357625 by j.chris....@gmail.com: localStorage Security

Issue Cannot Use Polyfill
https://code.google.com/p/chromium/issues/detail?id=357625

The security exception is good when methods on the object that provides
that storage access are accessed when that isn't allowed - but if some
other script has by some means found out that it isn't allowed (e.g. it
returned null), and replaced it with a polyfill, then access to that
replacement value on the currently-special property shouldn't inherit the
special check and should function as any other normal JS object.

I.e. something like the following should work regardless of settings, with
no errors thrown:

if (!window.localStorage) { window.localStorage = myStoragePolyFill; }
// ...
window.localStorage.setItem(...);

But currently this doesn't work.

[chro...@googlecode.com]

Updates:
Cc: durga.be...@chromium.org

Comment #12 on issue 357625 by durga.be...@chromium.org: localStorage

Security Issue Cannot Use Polyfill
https://code.google.com/p/chromium/issues/detail?id=357625

bradley.dwyer@ , or anyone could you please help providing update on
comment # 9 or other way to triage it further.