The website is using IndexedDB, for which MDN writes:
IndexedDB is a way for you to persistently store data inside a user's browser. Because it lets you create web applications with rich query abilities regardless of network availability, your applications can work both online and offline.
Not clearing it sounds like a bug in Firefox indeed, but apparently the developers feel otherwise. Like in March 2015, someone wrote:
But even when you delete all your history information the data from IndexedDB persist.
The right way to delete this data is by going to about:permissions
address, look for the domain and pressing the Forget About This Site
button.
While about:permissions
does not work in my Firefox 55, going into Tools, Page Info, Permissions I get the button "Clear Storage":
![Page Info dialog](https://i.stack.imgur.com/S6fJ7.png)
Even worse, neither the greyed-out "Use Default: Always Ask" in the above screen capture, nor enabling "Tell you when a website asks to store data for offline use" in settings, Advanced, Network, have any effect to avoid storage:
![Advanced settings](https://i.stack.imgur.com/lDGnq.png)
It seems the following from August 2011 may still apply (where "[only]" is added by me):
By default in Firefox 4, a site can use up to 50MB of IndexedDB storage. [Only] If it tries to use more than 50MB, Firefox will ask the user for permission [...]
In Firefox for mobile devices (Google Android and Nokia Maemo), Firefox will [only] ask for permission if a site tries to use more than 5MB [...]
To disable it altogether, go to about:config
and disable dom.indexedDB.enabled
. However, beware that such might affect plugins/add-ons as well, which seems to be why some want to remove that option, for which someone noted in May 2016:
Until IndexedDB is handled in the same way as cookies with respect to accepting/clearing and third-party behavior, this pref should exist.
(One may find dom.storage.enabled
interesting too...)
Best Answer
The short answer is yes, though it is not as easy as you might think.
The browser stores cookies independently for each domain. That means that
www.foo.com
cannot access the cookies made bywww.bar.com
and vice versa.The vulnerability (or loophole) is in included pages. Most advertisements come from a different domain than the page itself, so they create their own sets of cookies. When another site includes an ad from the same ad provider, they can read their own cookies created earlier and they know you visited that page earlier. This way they can only track you on sites that host their ads. This is the strategy Google uses to serve relevant ads.
Also Facebook and other social networks can do this because of their ubiquitous
like
,tweeet
,pin
etc. buttons, which are also included content. This is not avoidable without disabling cookies altogether or using private browsing, but that could be a major burden (Cookies do make the Internet convenient). I personally choose not to be paranoid of these things.