In recent versions of Safari (I am on 5.1 now), local storage can be cleared with Safari » Reset Safari » Remove all website data. Or by using Safari » Preferences » tabsheet Privacy » Cookies and other website data » Remove All Website Data. And even by using Remove All when viewing the details on that very same Privacy tabsheet. The Security tabsheet no longer shows any button to view the databases.
Some more details, also for older versions:
On my Mac, I found the folder ~/Library/Safari/LocalStorage
, which has a file for each site that uses local storage†, with its creation date set to my very first visit to each site. On Windows, this might be in a folder like %APPDATA%\Apple\Safari
or %APPDATA%\Apple Computer\Safari
.
Deleting all those files, and restarting Safari, obviously cleared the data for StackAuth too.
However, logging in to a random Stack Exchange site gets me the StackAuth data again, and a file in the above folder, without ever being prompted to allow that (my Safari preferences show "Database storage: none allowed before asking"), and without the domain being shown in the "Show databases" list. This also happens in private browsing modes.
This seems to be caused by the difference between HTML5 Web Databases, and HTML5 Web Storage (the latter including local storage). Chrome shows both for Twitter:
Apparently Safari only warns for databases, not for local storage? Maybe blocking local storage is going to be as hard as stopping Adobe Flash from leaving its privacy trail. The specifications state:
User agents should expire data from the local storage areas only for security reasons or when requested to do so by the user.
Let's hope someone knows of an easier way, or that we get some more control in future releases. (I filed a feature request at Apple for that.)
† In my case, I found as many as 5,904 items dating back to March 2009. And even my own domains, for which I'm sure no local storage is used, were listed with 8kb files each. Investigation shows that Alexey Ruzanov's FlashBlock user script uses local storage too, and hence causes a file for each site one visits, regardless whether it uses local storage, and regardless whether it uses Flash.
Best Answer
This is not a security bug, rather it is a feature of Local Storage (which is designed to be persistent through restarts)
It can be cleared (or edited) by the user. If you press
[F12]
Firefox will bring up the developer bar. In the tab markedStorage
is the sub sectionLocal Storage
where individual pieces of data can be deleted out of Local Storage at will