Persistent local storage across domains


When browsing across multiple domains my localstorage object containing cookie consent is shared. This is odd, because this is functionality we’d like to implement but are currently unable to due to limitations with cookie-size and cros-domain sharing of localstorage restrictions.

We’re looking to implement cross domain cookie consent for a number of websites. This works in brave, but not in any other browser. I’m wondering if this is intentional.

How can this issue be reproduced?

  1. Browse to www.seasons.nl and accept (or modify, or deny, really any choice ) the cookie settings.
  2. Browse to www.rootsmagazine.nl - There is no cookie consent window shown.
  3. Browse to www.rootsmagazine.nl#cookies to view the current cookie consent settings and you’ll see they’re the same as set on seasons.

Attempting this in another browser gives the expected result as defined below.

Expected result:
Expected result would be a new cookie consent window to set consent.

Brave Version( check About Brave):
Version 1.59.120 Chromium: 118.0.5993.88

Additional Information:
I’ve read about the ephemeral storage - I could not distill the information enough to figure out whether or not this would be intended behaviour somehow, but to mee it seems it should not be.

Ephemeral Storage allows 3p cookies but isolate them so no other 1p site can access them, only the one that created/accessed them, that means, what you are explaining is impossible in Brave.
In simple words, there will be two different Ephemeral Storages for myprivacy.roularta.be that only seasons will access and then the other where only rootsmagazine can access.

You have to allow myprivacy.roularta.be in brave://settings/cookies to be able to do what you say, which means, roularta will be in the persistent storage where websites can access it, that way ALL websites can access it.
If not, there is also the option to individually allow 3p per domain, but that means seasons and rootsmagazine would have to have the same option to be able to access the same roularta persistent storage.

So, you should check that, because it is the only way for your scenario to happen.

Hey Emi, first of all thanks for taking the time to check this.

I’ve looked at my settings and made sure to enable brave-shields are enabled and there seem to be no explicit whitelisting:

Well, I don’t know what to tell you. That’s the way it is set up by brave when you ‘block third-party cookies’, cookies will get isolated in their own storage.

You can even isolate 1p storage in Brave in the Ephemeral by using the “sites that clear when you close them”.

in fact, you can even easily switch from Persistent to Ephemeral by moving the domain from clear to allow or the other way.

what does brave://settings/content/all says about it? because that’s where the stuff will be stored, if there is not roularta.be, well, it is not even being stored in the browser, nothing should be ‘leaking’ to other websites.
I mean I use nightly and I tested it, I know Brave recently fixed an issue from years with Ephemeral Storage where refresh wouldn’t switch local/session storage from persistent to ephemeral, and the site had to be closed, but it shouldn’t be this case.

Also, Ephemeral Storage by default takes 30 seconds to clear, which can be disabled with this flag brave://flags/#brave-ephemeral-storage-keep-alive but I don’t think it has to do anything with this either, since the storages are isolated so one domain can’t use what the other domain is using.

Hey Emi, thanks again!

So this only works when I’ve disabled brave shields. Maybe that is expected behaviour - but to my knowledge localstorage is not designed to be able to be shared across domains. I’m going back in to do some more testing and see if Didomi ( the CMP ) is using some iframe postmessage method of getting this to work.

Well, technically Ephemeral Storage works regardless of Shields, But the thing is, when you disable Shields, it will also add the domain to allow cookies with the Including third-party cookies on this site option checked, that means it will store things in the Persistent Storage, since it will not be blocking or isolating the 3p data.

There is https://dev-pages.brave.software/storage/index.html to test different stuff about this, but for example, Ephemeral Storage test, seems like it broke, since now the way Ephemeral Storage is done in Chromium 118 is different than previous versions, now you can see the values, like if they were stored in Persistent Storage, but they are not, in the past, you would just see it, like if nothing existed, but something was there.
So now I notice it says ‘wrong’ when reading the values, instead of showing like the “Expected Outcome”
But you can test how it will say still Empty if you see the Step 2: Remote Page, Same Session or the Step 3: Remote Page, New Session which is the ones important to test your scenario.
The Step 4: This Page, Same Session Case is the one that will show wrong everywhere.

But you can test other ones like Frames and other tests, not just Ephemeral Storage one.

But it should work as I said, unless things get added to an allowed list, nothing should be shared across domains, just isolated, like I said, one isolation storage per website and their respective 3p data.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.