The other day, I received a harmless-looking Issue for my app SVGcode (announcement blog post). The Issue read:
Crash when opened with cookies blocked
Hey I block cookies by default. Unfortunately your website doesn’t handle that nicely despite it not needing (IMO) cookies to operate. I'm getting this error, because blocking cookies also blocks localStorage.
Uncaught DOMException: Failed to read the 'localStorage' property from 'Window': Access is denied for this document.
Please add fallback to js provided localStorage, because it makes the app unusable.
I don't use cookies in the app at all, but for sure, when I disabled cookies in Chrome, the app wasn't usable.
All I am using is some innocent localStorage
and IndexedDB to persist user
settings like the values of the sliders or the chosen color scheme.
Turns out, with all cookies blocked, Chrome disables a lot of (all?) APIs that can be used to persist data and thus potentially profile users. Here are the ones that I found:
localStorage
sessionStorage
- IndexedDB
- CacheStorage
- Web SQL (obsolete)
- Service Workers
- Origin Private File System
webkitRequestFileSystem()
(obsolete)
The code sample below shows all these APIs and the error messages they throw when you try to use them with cookies blocked.
localStorage;
// Uncaught DOMException: Failed to read the 'localStorage' property from Window: Access is denied for this document.
sessionStorage;
// Uncaught DOMException: Failed to read the 'sessionStorage' property from 'Window: Access is denied for this document.
await caches.open('test');
// Uncaught DOMException: An attempt was made to break through the security policy of the user agent.
const openRequest = indexedDB.open('test', 1);
openRequest.onerror = function () {
console.error(openRequest.error);
};
// DOMException: The user denied permission to access the database.
openDatabase('test', '1', 'test', 1);
// Uncaught DOMException: An attempt was made to break through the security policy of the user agent.
await navigator.serviceWorker.register('.');
// Uncaught DOMException: Failed to register a ServiceWorker for scope ('https://example.com/') with script ('https://example.com/'): The user denied permission to use Service Worker.
await navigator.storage.getDirectory();
// Uncaught DOMException: Storage directory access is denied.
webkitRequestFileSystem(
window.PERSISTENT,
1,
() => {},
(err) => console.error(err)
);
// DOMException: An ongoing operation was aborted, typically with a call to abort().
webkitRequestFileSystem(
window.TEMPORARY,
1,
() => {},
(err) => console.error(err)
);
// DOMException: An ongoing operation was aborted, typically with a call to abort().
Did I miss anything? If so, please let me know!
The fix for the Issue was annoying, but simple. Always
try...catch
any potentially blocked calls:
Please report any other errors you encounter (I don't care for the analytics script failing). And thanks, @JakubekWeg for caring enough to having opened this Issue! Jakub is the proof that users exist who block any and all cookies. Check your error logs, you might be losing users, too!
(On a tangent, MDN is completely broken with cookies blocked, too. I was about to report this problem (because I care and love MDN 😍), when I discovered a PR is already under way that fixes the Issue. Thanks, @bershanskiy!)
This post appeared first on https://blog.tomayac.com/2022/08/30/things-not-available-when-someone-blocks-all-cookies/.