Misguided JavaScript API: Origin Private File System
Misguided JavaScript API: Origin Private File System
May 28 2026
The web browser vendors continually add JavaScript API that prioritize the needs of web developers over web users. The interests of the two groups can conflict, for example because web developers often want to fingerprint and track web users, and I would note that Google Search advertising revenue provides a large part of the funding for all three of the major web browser engines: Chromium, Gecko/Quantum, and WebKit. The Origin Private File System (OPFS) is such an API, that I would call misguided, prioritizing web developers over web users:
The OPFS offers low-level, byte-by-byte file access, which is private to the origin of the page and not visible to the user. As a result, it doesn't require the same series of security checks and permission grants and is therefore faster than File System Access API calls.
In other words, the web browser silently grants a website its own private file system inside your own computer’s private file system!
Although the OPFS is subject to storage quotas, these tend to be ridiculously generous. According to the API documentation:
For WebKit-based browser apps, each origin can store up to around 60% of total disk.
WebKit also enforces an overall quota that stored data across all origins cannot grow beyond 80% of disk size for browser apps
I believe that this documentation is actually out-of-date, because in my testing with Safari 26 on two Macs with different disk sizes and free space, navigator.storage.estimate() returns exactly 82,463,372,084 bytes, which is approximately 77 gigabytes. That’s significantly less than 60% of free disk space on my MacBook Pro, but it is 60% of 128 GB, which may be a hard-coded limit. In any case, it seems insane to allow a website to secretly write 77 GB of files to your disk!
That’s not the end of the problems with the OPFS. As recently highlighted by Ars Technica, a group of researchers has discovered that a maliciously-crafted (or advertiser-crafted) website could exploit the OPFS for side channel data exfiltration attacks, measuring the responsiveness of the computer’s SSD via JavaScript.
The good news is that these side channel attacks are preventable in Safari by browsing the web with private windows:
The API is currently unavailable for Safari windows in Private Browsing mode.
Of course that doesn’t help when you visit sites where you want to remain logged in, but it helps for other sites, especially untrusted sites. (I use private browsing myself by default.) There are good reasons for the private window restriction on the OPFS: (1) by design, a private window is supposed to avoid writing website data to disk, and (2) the OPFS quota is too large to keep website data in RAM during the private browsing session instead of writing it to disk.
The bad news is that websites can use the OPFS to detect Safari private windows, precisely because the OPFS is disallowed in Safari private windows. Last year I blogged about this issue and created a test page to demonstrate.
My Safari extension StopTheMadness Pro stops websites from using the OPFS (and other known techniques) to detect Safari private windows. However, StopTheMadness Pro cannot currently disable the OPFS entirely. The reason is simple: many of the extension’s features are driven by customer requests, and customers have requested the one feature but not the other…yet.
Given the problems discussed in this blog post—lack of user control, massive storage quotas, data exfiltration, and private window detection—I think the Origin Private File System has proved itself to be a terrible idea that should have missed the cut of "a thousand no’s for every yes.” But I suppose that ship has sailed, that feature has shipped, and now it’s too late.