When I visit a website it sometimes puts cookies on my browser. Usually cookies keep track of browsing info from that particular site. If I don't delete those cookies and browse other websites, will the cookies be able to know which site I am browsing?
Also, can any website read browsing history which is saved by browsers? Can any website know about my browsing history by help of cookies, browsing histories saved by browsers, or by any scripting language e.g. javascript?
Privacy – Can a Website Know My Browsing History
browserhistoryinternet-securityprivacywebsite
Related Solutions
Although completely overkill, the best privacy you can get is probably with something like the TOR browser bundle. You can test the resulting privacy using Panopticlick.
The website is using IndexedDB, for which MDN writes:
IndexedDB is a way for you to persistently store data inside a user's browser. Because it lets you create web applications with rich query abilities regardless of network availability, your applications can work both online and offline.
Not clearing it sounds like a bug in Firefox indeed, but apparently the developers feel otherwise. Like in March 2015, someone wrote:
But even when you delete all your history information the data from IndexedDB persist.
The right way to delete this data is by going to
about:permissionsaddress, look for the domain and pressing theForget About This Sitebutton.
While about:permissions does not work in my Firefox 55, going into Tools, Page Info, Permissions I get the button "Clear Storage":
Even worse, neither the greyed-out "Use Default: Always Ask" in the above screen capture, nor enabling "Tell you when a website asks to store data for offline use" in settings, Advanced, Network, have any effect to avoid storage:
It seems the following from August 2011 may still apply (where "[only]" is added by me):
By default in Firefox 4, a site can use up to 50MB of IndexedDB storage. [Only] If it tries to use more than 50MB, Firefox will ask the user for permission [...]
In Firefox for mobile devices (Google Android and Nokia Maemo), Firefox will [only] ask for permission if a site tries to use more than 5MB [...]
To disable it altogether, go to about:config and disable dom.indexedDB.enabled. However, beware that such might affect plugins/add-ons as well, which seems to be why some want to remove that option, for which someone noted in May 2016:
Until IndexedDB is handled in the same way as cookies with respect to accepting/clearing and third-party behavior, this pref should exist.
(One may find dom.storage.enabled interesting too...)
Best Answer
The short answer is yes, though it is not as easy as you might think.
The browser stores cookies independently for each domain. That means that
www.foo.comcannot access the cookies made bywww.bar.comand vice versa.The vulnerability (or loophole) is in included pages. Most advertisements come from a different domain than the page itself, so they create their own sets of cookies. When another site includes an ad from the same ad provider, they can read their own cookies created earlier and they know you visited that page earlier. This way they can only track you on sites that host their ads. This is the strategy Google uses to serve relevant ads.
Also Facebook and other social networks can do this because of their ubiquitous
like,tweeet,pinetc. buttons, which are also included content. This is not avoidable without disabling cookies altogether or using private browsing, but that could be a major burden (Cookies do make the Internet convenient). I personally choose not to be paranoid of these things.