The navigator.storage quota API returns stable identifiers

[fmarier]

Originally reported on https://hackerone.com/reports/1021114

On my machine, I see the following in Chrome and Brave:

> (await navigator.storage.estimate()).quota
1175370308812

but Firefox seems to cap it at 2GB:

(await navigator.storage.estimate()).quota
2147483648

We should probably do the following:

1. Cap the value like Firefox.
2. Reduce the granularity of the data.
3. Farble.

[antonok-edm]

Some additional context...

Chromium implementation details

On my Linux computer, the quota value ends up returning exactly the full storage space of my LVM home partition, scaled by 0.8 * 0.75. Not only is this a persistent identifier, this value is not even useful for websites interested in using using local storage because it reports space that is already occupied by other files.

navigator.storage spec

The official spec says:

The storage quota of a storage shelf is an implementation-defined conservative estimate of the total amount of bytes it can hold. This amount should be less than the total storage space on the device. It must not be a function of the available storage space on the device.

With an additional note about fingerprinting:

Directly or indirectly revealing available storage space can lead to fingerprinting and leaking information outside the scope of the origin involved.

The Chromium implementation is incorrect, as it directly reveals the amount of storage space normally, and reveals a capped amount of storage space in private browsing mode. This also makes it easy for websites to detect private browsing (see #11543).

Conclusion

Since the API is unusable as-is except for as a fingerprinting vector, the correct approach here should be to simply hard-code the value. 2GB is both consistent with Firefox's implementation and conveniently avoids private browsing detection.

[antonok-edm]

Labeled as QA/No since this is already covered by #11543.