On Thu, Sep 3, 2015 at 5:25 PM, Richard Barnes <rbarnes@mozilla.com> wrote: > Well, this immediately runs into the problem that there's no specification > of what Private Browsing / Incognito mode actually does. Even when it > comes to basic things like cookie lifetime, there are different behaviors > among browsers. There has been some effort to clean this up, but AFAIK, > not much progress. > I think mnot@ was looking at this. I agree that there's some value in trying to converge here, but I suspect there's not a lot of shared vision for the mode at the fringes. Tracking Protection, for instance, goes well beyond "Don't store data persistently.". > The long description (with mock-ups) is here: >> https://wiki.mozilla.org/Security/Automatic_Private_Browsing_Upgrades >> >> The above is a draft intended to start a discussion, but the main things >> I'm wondering about are: >> >> - Does it fit within our working group charter? >> - Is CSP the right delivery mechanism? >> - Should this be rolled into the clear-site-data spec instead? >> > > I feel like there are several current proposals dancing around a common > concept: > > - Auto-PBM > - Clear site data > - Suborigins > > (This also relates the the Containers work that's going on in Firefox > right now. > https://wiki.mozilla.org/Security/Contextual_Identity_Project/Containers) > > All of these things relate to the origin security model being too loose, > either in space (suborigins) or time (clear-site-data, auto-PBM). Some of > them (containers, auto-PBM) also carry along a notion that whatever > constraints on the origin model are applied to the top-level site should > also be transitively applied to its dependencies. > > I would rather we get this overall concept right than chase after these > point solutions. > This sounds interesting, but also quite vague. What do you consider "this overall concept"? :) -mike
Received on Thursday, 3 September 2015 16:00:46 UTC