Bug 207545

Summary: Blocking Access to LocalStorage and SessionStorage for specific web-sites or for all websites doesn't work 100% of the time
Product: WebKit Reporter: Brandon <bthomas>
Component: WebKit APIAssignee: Nobody <webkit-unassigned>
Status: NEW ---    
Severity: Enhancement CC: achristensen, appledeveloper, beidson, krzysztof.modras, mjs, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: iPhone / iPad   
OS: All   

Description Brandon 2020-02-11 06:44:49 PST 
In order to block LocalStorage access or SessionStorage, developers need to inject some Javascript like like:
```
var localStorage = Object.getOwnPropertyDescriptor(window, 'localStorage');
if (localStorage) {
    Object.defineProperty(window, 'localStorage', {
        get: function() {
            console.error("Local Storage Blocked")
            return null;
        },
    });
}

var sessionStorage = Object.getOwnPropertyDescriptor(window, 'sessionStorage');
if (sessionStorage) {
    Object.defineProperty(window, 'sessionStorage', {
        get: function() {
            console.error("Session Storage Blocked")
            return null;
        },
    });
}
```

There should be a simpler way to deny a website or anything access to the storage. Currently, there is none.
Comment 1 Alexey Proskuryakov 2020-02-11 09:23:58 PST 
Thank you for the report!

The title says "... doesn't work 100% of the time", can you elaborate on that?
Comment 2 Radar WebKit Bug Importer 2020-02-11 09:24:11 PST 
<rdar://problem/59350812>
Comment 3 Maciej Stachowiak 2020-02-19 02:24:52 PST 
If you add the cited script as WKUserScript using a WKUserContentController, it should be guaranteed to run before the page does anything. Using `evaluateJavaScript:` and friends instead would race with page loading.

Is there any other way in which the JS solution is not adequate?
Comment 4 Brandon 2024-07-09 07:23:20 PDT 
The problem is the page can grab the `localStorage` variable from an iFrame.

Example, if you inject the above script into the MAIN frame, but not all frames, then the following is possible:


```
var localStorage = document.querySelector('iframe').contentWindow.localStorage;
// Use localStorage to set values
```

This bypass currently works even on iOS 17. So even though you've blocked local storage for the main-frame, the main-frame can still access local storage via a secondary frame.