How to control websites' use of localStorage in Firefox?
Firefox's relationship between cookies and localstorage (from https://bugzilla.mozilla.org/show_bug.cgi?id=341524):
- disabling cookies disables storage, unless the site is on the whitelist.
- enabling all cookies enables storage, except if the site is on the blocked list.
- if a site is set to session only in the block list, only session storage may be used. Global storages are treated like session storages.
- similarly, if the cookie preferences are set to session only, all storage usage is session only
- if the cookie preferences are set to prompt, this is treated the same as reject cookies. Not sure whether we want prompting to occur here. Do cookies prompt every time a cookie is set, or just once per session?
- the hidden preference dom.storage.disabled can be used to disable DOM storage.
Thus, you should be able to use cookie managers such as Cookie Monster to control localstorage.
To view/delete persistent localstorage in Firefox, you can use Foundstone HTML5 Local Storage Explorer or NoTrace. Other related Firefox extensions are listed here.
From How to clear and disable DOM Storage in Firefox, IE and Chrome:
Clear DOM Storage in Firefox:
Select “Tools” -> “Clear Recent History”, open “Details”, check “Cookies” and select “Everything” as time range.
ATTENTION: No other time range will clear the DOM Storage.[...]
Disable DOM Storage in Firefox:
Type “about:config” in your address bar and hit enter to view your internal browser settings. Scroll down to "dom.storage.enabled", right click on it and hit "Toggle" to disable the DOM Storage.
From Bypassing the intent of blocking "third-party" cookies:
In concept, HTML5 Local Storage is very similar to cookies. On a per-origin basis, there is a set of disk-persisted name / value pairs.
With a simple test, it's easy to show that the HTML5 Local Storage feature is not affected by the third-party cookie setting.
Mozilla knows about this issue: Bug 536509 - localStorage does not obey "third-party cookies" pref. Fortunately, if you untick Firefox checkbox "Accept cookies from sites," then localstorage is enabled only on domains that are allowed in Firefox's cookie Exceptions list. Since JavaScript is needed to set localstorage, JavaScript blocking extensions like NoScript can also mitigate this issue.
Localstorage test sites:
- http://csh.rit.edu/~ryanw/chaos/WebStorageTest.html
- http://people.w3.org/mike/localstorage.html
- http://scary.beasts.org/misc/iframe_storage.html
Firefox issue: Bug 748620 - When cookie expiration is set to ask every time, localStorage throws a security exception.
All of the information in this answer was adapted from DOM storage: browser data storage that can bypass the intent of blocking third-party cookies, a thread that I started.
I am the developer of the Cookie Controller addon, and it will show you the permissions that apply to local storage (and session storage) as well as letting you set those permissions.
However, to answer your original question, permissions for DOM storage are essentially the same as for cookies. Certain permissions, such as 3rd party, do not apply, but the settings to deny cookies or restrict them to the current session are also applied to DOM storage. Unfortunately Firefox will not show you whether a web page is using DOM storage or not so it can be difficult to verify. Hence the addon is useful.
There is also a hidden preference that will completely disable all DOM storage independently of cookies: dom.storage.enabled. This is a little brutal and usually you would just block cookies to block storage. Equally, exceptions set to allow individual web sites to set cookies also allow them to use DOM storage.
Lastly, there is a limit on the amount of storage that can be used by each web page. By default this is 5MB but you can change it, potentially to zero. However, web pages don't always handle overflowing this quota very well so you might cause problems by changing it.