10

I hope I didn't miss something somewhere, but I can't get to understand what is exactly happening with what I'm doing.

I'm programming a webapp and in my app I open programmatically a new page to search something in duckduckgo. I'm using the following code window.open("https://duckduckgo.com/?q=something") which is good for me.

This all works fine, but I noticed that when this code is executed, in my console, the following is logged:

Storage access automatically granted for tracker "https://duckduckgo.com" on "http://localhost:8000".

I'm wondering what this means.
I'm aware that it's probably not something related to duckduckgo itself, maybe just that they are nice enough to actually log something and be transparent.

What information is exactly shared with an external website when using window.open? What does this "granting access to the tracker" mean? Where is this log in my console coming from? Can an external site actually execute some javascript code in my current page? This seem strange to me and would sound disastrous for privacy.

chateau
  • 918
  • 11
  • 24
  • 2
    Documented [here](https://developer.mozilla.org/en-US/docs/Mozilla/Firefox/Privacy/Storage_access_policy). I'm thinking you were automatically granted access because you've interacted with DDG before. –  Nov 20 '19 at 19:32

1 Answers1

5

So from what I understand from this firefox documentation page (plus a bit of experimenting with window.open):

When window.open is ran to open https://duckduckgo.com, this allow any tracker from https://duckduckgo.com that would be loaded from localhost now or in the next 30 days, to have access to it's own domain storage (and not only the one of localhost).

The message is logged by firefox itself to inform that you just granted this right to https://duckduckgo.com.

(Thanks a lot Amy for the link that allowed me to learn and answer myself :))

chateau
  • 918
  • 11
  • 24
  • I don't clearly understand what you mean when you say "and not only the one of localhost". Is duckduckgo being granted any access to anything other than duckduckgo's data? That's the main concern; can they track your page's data? For example, can they see any private data that may be in the script that calls `window.open`, or any data that the calling script stores in local storage? – Lonnie Best May 04 '20 at 07:04
  • @LonnieBest Would also be curious about details on this, this is what the article I mention says about this: "The restrictions applied by the policy will not prevent third-party scripts classified as tracking resources from accessing storage in the main context of the page. These scripts can continue to use storage scoped to the top-level origin." – chateau May 05 '20 at 09:56