GitLab

When TorButton's "New Identity" button is pressed, the permissions stored with nsIPermissionManager aren't cleared, even though nsIPermissionManager.removeAll() is called.

From torbutton_do_new_identity() in src/chrome/content/torbutton.js:

  torbutton_log(3, "New Identity: Clearing permissions");
                       
  let pm = Cc["@mozilla.org/permissionmanager;1"].
           getService(Ci.nsIPermissionManager);
  pm.removeAll();                    

  torbutton_log(3, "New Identity: Sending NEWNYM");

There's a ton of info stored in this thing, including how many time the site has been visited, if popups are allowed, if a site can access offline storage, etc. For me, several dozen sites are listed after clicking "New Identity". It seems to have been keeping these permissions for quite a while, as some of my sites are reported to have hundreds of visits.

To reproduce, do some stuff in TorBrowser for a while, then click "TorButton > New Identity", then navigate to about:permissions.