https://connect.mozilla.org/t5/discussions/opfs-usage-per-origin-in-the-devtools-storage-inspector/m-p/127106#M50324 <P>I was triggered to request this new feature because of this research paper (<A href="https://hannesweissteiner.com/pdfs/frost.pdf" target="_blank" rel="noopener">https://hannesweissteiner.com/pdfs/frost.pdf</A>) about yet another new tracking technique: timing the speed of the users SSD via OPFS.&nbsp;See also the discussion on HN here:&nbsp;<A href="https://news.ycombinator.com/item?id=48309492" target="_blank" rel="noopener">https://news.ycombinator.com/item?id=48309492</A>.</P><P>The Origin Private File System (OPFS) API allows websites to store potentially large files on a user's device — in some cases up to 60% of available disk space. Recent research has shown that this can be exploited as a side-channel attack vector: by timing OPFS I/O operations, a malicious site can infer what other websites or applications a user has running (see: <A href="https://arstechnica.com/security/2026/05/websites-have-a-new-way-to-spy-on-visitors-analyzing-their-ssd-activity/" target="_blank" rel="noopener">https://arstechnica.com/security/2026/05/websites-have-a-new-way-to-spy-on-visitors-analyzing-their-ssd-activity/</A>).</P><P>Firefox currently has two gaps when it comes to OPFS:</P><P>1. <STRONG>No DevTools visibility,</STRONG>&nbsp;Unlike cookies, localStorage, or IndexedDB, OPFS storage used by a website is not shown anywhere in the DevTools Storage Inspector. This makes it impossible for developers and privacy-conscious users to see what a site has written to disk.</P><P>2. <STRONG>No user controls</STRONG>. There is no setting to block OPFS access entirely, nor any option to mitigate the timing side-channel by injecting artificial jitter into OPFS read/write latency (similar to how Firefox already adds noise to certain APIs like canvas and AudioContext to prevent fingerprinting).</P><P><STRONG>Requested improvements:</STRONG></P><P>- Show OPFS usage per origin in the DevTools Storage Inspector, with the ability to inspect and delete stored files.<BR />- Add a permission or privacy setting to block or restrict OPFS access, either globally or per site.<BR />- Add random timing noise to OPFS operations to neutralize SSD-based side-channel attacks, consistent with Firefox's existing anti-fingerprinting approach.</P><P>These changes would bring OPFS in line with how Firefox already handles other storage APIs, and would meaningfully improve user privacy against an emerging class of attacks.</P> Mon, 01 Jun 2026 13:15:06 GMT TheJanManShow 2026-06-01T13:15:06Z https://connect.mozilla.org/t5/discussions/opfs-usage-per-origin-in-the-devtools-storage-inspector/m-p/127106#M50324 <P>I was triggered to request this new feature because of this research paper (<A href="https://hannesweissteiner.com/pdfs/frost.pdf" target="_blank" rel="noopener">https://hannesweissteiner.com/pdfs/frost.pdf</A>) about yet another new tracking technique: timing the speed of the users SSD via OPFS.&nbsp;See also the discussion on HN here:&nbsp;<A href="https://news.ycombinator.com/item?id=48309492" target="_blank" rel="noopener">https://news.ycombinator.com/item?id=48309492</A>.</P><P>The Origin Private File System (OPFS) API allows websites to store potentially large files on a user's device — in some cases up to 60% of available disk space. Recent research has shown that this can be exploited as a side-channel attack vector: by timing OPFS I/O operations, a malicious site can infer what other websites or applications a user has running (see: <A href="https://arstechnica.com/security/2026/05/websites-have-a-new-way-to-spy-on-visitors-analyzing-their-ssd-activity/" target="_blank" rel="noopener">https://arstechnica.com/security/2026/05/websites-have-a-new-way-to-spy-on-visitors-analyzing-their-ssd-activity/</A>).</P><P>Firefox currently has two gaps when it comes to OPFS:</P><P>1. <STRONG>No DevTools visibility,</STRONG>&nbsp;Unlike cookies, localStorage, or IndexedDB, OPFS storage used by a website is not shown anywhere in the DevTools Storage Inspector. This makes it impossible for developers and privacy-conscious users to see what a site has written to disk.</P><P>2. <STRONG>No user controls</STRONG>. There is no setting to block OPFS access entirely, nor any option to mitigate the timing side-channel by injecting artificial jitter into OPFS read/write latency (similar to how Firefox already adds noise to certain APIs like canvas and AudioContext to prevent fingerprinting).</P><P><STRONG>Requested improvements:</STRONG></P><P>- Show OPFS usage per origin in the DevTools Storage Inspector, with the ability to inspect and delete stored files.<BR />- Add a permission or privacy setting to block or restrict OPFS access, either globally or per site.<BR />- Add random timing noise to OPFS operations to neutralize SSD-based side-channel attacks, consistent with Firefox's existing anti-fingerprinting approach.</P><P>These changes would bring OPFS in line with how Firefox already handles other storage APIs, and would meaningfully improve user privacy against an emerging class of attacks.</P> Mon, 01 Jun 2026 13:15:06 GMT https://connect.mozilla.org/t5/discussions/opfs-usage-per-origin-in-the-devtools-storage-inspector/m-p/127106#M50324 TheJanManShow 2026-06-01T13:15:06Z