Chrome bug meant browser didn’t respect user requests to delete YouTube site data

If you ask Chrome to delete all cookies and site data whenever you quit the browser, it’s reasonable to expect that this policy applies to all websites. Recently, though, a bug in the browser meant data wasn’t being removed for one site in particular: YouTube.

This problem was first documented by iOS developer Jeff Johnson on his blog. Johnson found that in Chrome version 86.0.4240.75, “local storage” data for YouTube.com stuck around even after restarting the browser. We’ve been able to replicate similar behavior.

According to The Register, site data allows websites to store personal information about visitors, letting them remember information about users when they visit again in the future. In comparison, cookies are generally used to track users preferences and identities across different sites. However, The Register notes that Chrome’s behavior could allow Google to stash cookie-style data as site data, allowing it to track users even when they think they’re being careful by deleting their cookie and site data every time they close the browser.

In a statement, Google said it was aware of the issue and was working on a fix. “We are aware of a bug in Chrome that is impacting how cookies are cleared on some first-party Google websites,” a spokesperson said. “We are investigating the issue, and plan to roll out a fix in the coming days.” As of this writing, a fix already appears to be available. After we upgraded the Chrome browser to version 86.0.4240.111, YouTube’s local storage data seems to successfully purge after a restart.

The bug is understood to have been introduced as Google phased out the browser’s support for hosted apps. As Johnson notes, it is possible to ensure that Google’s sites don’t create any local storage data, but it involves adding them to Chrome’s list of “Sites that can never use cookies.”

Johnson and The Register also reported that site data from Google.com also appeared to remain after a restart. However, in comments given to The Verge, Google confirmed that this is expected behavior. This is because Chrome’s default new tab page includes a Google search box and Google sign-in link, meaning a cookie gets re-added when this page is visited. We were able to verify this by setting Chrome to open up a website rather than an empty tab on startup, and saw that Google.com local storage did not appear.

The context for this are the big changes that are coming to how Chrome handles third-party cookies. Earlier this year, Google announced plans to phase out third-party cookies entirely in Chrome over the next two years and replace them with new technologies that are less invasive. However, if these new rules aren’t applied fairly across all websites, then Google risks attracting even more antitrust scrutiny. Just yesterday, the USA’s Justice Department filed antitrust charges against the company for illegal monopolization of the search and ad markets. The last thing Google needs is to give antitrust regulators more ammunition.