- From: Tanvi Vyas <tanvi@mozilla.com>
- Date: Fri, 5 Feb 2016 17:41:27 -0800
- To: Utkarsh Upadhyay <musically.ut@gmail.com>, Crispin Cowan <crispin@microsoft.com>
- Cc: Joel Weinberger <jww@chromium.org>, Anne van Kesteren <annevk@annevk.nl>, "timeless@gmail.com" <timeless@gmail.com>, Patrick Toomey <patrick.toomey@github.com>, Richard Barnes <rbarnes@mozilla.com>, WebAppSec WG <public-webappsec@w3.org>
- Message-ID: <56B54F47.6070706@mozilla.com>
Something similar to this was discussed a few months ago on this list: https://lists.w3.org/Archives/Public/public-webappsec/2015Sep/0016.html The biggest issue I see is that this could be easily abused by phishing/malware sites. The proposal considered sites that tailored towards victims of domestic abuse. But if the victim found the page through a search engine, the search terms would still be in their history. And hence opening the abuse site in a private window may give victims a false sense of security. A web API that caused the browser to ask the user if they wanted to clear that last X minutes of their history may be more useful. ~Tanvi On 1/24/16 2:03 AM, Utkarsh Upadhyay wrote: > So here's a summary of the discussion so far (the status of items with > question mark is not completely clear to me): > > Proposal: adding target="_private" to <a> tag spec and an explicit > "private mode" browsing context. > > Pros: > + Better UI/UX on some sites (e.g. some links on Reddit). > + Easier to give instructions when sites require a > session/cookie-less browsing context. > + Easier discoverability of the private browsing feature. > > Cons: > - Sites may conduct (phishing?) attacks on the user and not leave a > trace. > - Whether to go private or not should be strictly a user decision. > ? Will require standardizing Incognito/private mode across browsers. > - Unclear how to explain the risks involved in simple language to > the user. > > Compromises: > - Pop-ups for each click: too annoying and will be ignored. > ? One-off permission for domains, like the permissions for media access. > > Did I miss anything? > > ~ > ut > > > On Thu, Jan 14, 2016 at 2:29 AM, Crispin Cowan <crispin@microsoft.com > <mailto:crispin@microsoft.com>> wrote: > > I basically disbelieve the premise of the idea. Whether any > particular web browsing should be privatized/not-logged is not the > web site’s business, that is a user decision. > > Regarding the prompt, I completely agree with Joel, that would > become a nuisance prompt that users don’t understand, and quickly > come to hate and ignore. > > *From:*Joel Weinberger [mailto:jww@chromium.org > <mailto:jww@chromium.org>] > *Sent:* Wednesday, January 13, 2016 5:27 PM > *To:* Utkarsh Upadhyay <musically.ut@gmail.com > <mailto:musically.ut@gmail.com>>; Crispin Cowan > <crispin@microsoft.com <mailto:crispin@microsoft.com>> > *Cc:* Anne van Kesteren <annevk@annevk.nl > <mailto:annevk@annevk.nl>>; timeless@gmail.com > <mailto:timeless@gmail.com>; Patrick Toomey > <patrick.toomey@github.com <mailto:patrick.toomey@github.com>>; > Richard Barnes <rbarnes@mozilla.com <mailto:rbarnes@mozilla.com>>; > WebAppSec WG <public-webappsec@w3.org > <mailto:public-webappsec@w3.org>> > > > *Subject:* Re: Proposal to add a browsing context named "_private" > > That is now something Chrome would do, in part because we believe > it wouldn't mitigate the risk. Users would become desnesitized and > click through anyway, but even more importantly, there's no way to > explain the attack in generally understandable terminology. > > On Wed, Jan 13, 2016, 4:01 PM Utkarsh Upadhyay > <musically.ut@gmail.com <mailto:musically.ut@gmail.com>> wrote: > > > Let me put this another way: the _private proposal is an > attack vector. It lets a malicious web site block the user’s > browser from recording history data without the user’s consent. > > What if we ask the user for consent before opening each link > or make the websites ask for user's permissions explicitly > just like for media access? Would that mitigate the security risk? > > ~ > > ut > > On Tue, Jan 12, 2016 at 11:57 PM, Crispin Cowan > <crispin@microsoft.com <mailto:crispin@microsoft.com>> wrote: > > My comment about bookmarks was a joke: the point of > private browsing is to not leave tracks on your PC that > you have browsed to a particular place. Having a bookmark > on your PC for “naughty salacious things” is itself an > obvious trace, and so defeats the purpose. > > Let me put this another way: the _private proposal is an > attack vector. It lets a malicious web site block the > user’s browser from recording history data without the > user’s consent. If someone were to ship such a feature in > our browser, I would file a security bug to have it removed. > > *From:*Utkarsh Upadhyay [mailto:musically.ut@gmail.com > <mailto:musically.ut@gmail.com>] > *Sent:* Tuesday, January 12, 2016 2:38 AM > *To:* Anne van Kesteren <annevk@annevk.nl > <mailto:annevk@annevk.nl>> > *Cc:* Crispin Cowan <crispin@microsoft.com > <mailto:crispin@microsoft.com>>; Joel Weinberger > <jww@chromium.org <mailto:jww@chromium.org>>; > timeless@gmail.com <mailto:timeless@gmail.com>; Patrick > Toomey <patrick.toomey@github.com > <mailto:patrick.toomey@github.com>>; Richard Barnes > <rbarnes@mozilla.com <mailto:rbarnes@mozilla.com>>; > WebAppSec WG <public-webappsec@w3.org > <mailto:public-webappsec@w3.org>> > *Subject:* Re: Proposal to add a browsing context named > "_private" > > > I know! How about letting the user specify that a > bookmark should be opened in-private? … oh, right :P > > I understand that the comment was made to show that > target="_private" will not solve all problems associated > with opening links in private mode, but this set me > thinking in another direction. > > As Crispin's comment points out, bookmarking is also a > feature common to all browsers and which is, AFAIK, not > standardized (notwithstanding the link type="bookmark", > which doesn't address this feature of browsers explicitly). > > I don't see any immediate benefit of standardizing it and > I actually wouldn't support it without some very very good > reasons. > > However, the more I think about it, private mode browsing > is the kind of feature which would really benefit from > standardization: it would make the developers know what to > expect and would make sure that users get the similar sort > of guarantees across all conforming browsers. > > In that spirit, I think a new named browsing context is a > good way to introduce such a standardization and a way of > opening it up to web developers. > > ~ > > ut > > On Tue, Jan 12, 2016 at 9:18 AM, Anne van Kesteren > <annevk@annevk.nl <mailto:annevk@annevk.nl>> wrote: > > On Tue, Jan 12, 2016 at 1:08 AM, Crispin Cowan > <crispin@microsoft.com <mailto:crispin@microsoft.com>> > wrote: > > I think this whole area causes more problems than it > solves. I can clearly > > see the problems, much less clear on potential > solutions, and really vague > > on the problem it is trying to solve. > > It seems pretty clear to me. For some use cases, the > website can offer > better UI than the browser. E.g., for most social > media that relates > around sharing links, as OP suggested, the user could > opt-in to > opening certain links in a "private mode". This is > much more > discoverable than the equivalent feature in a browser > and is also more > usable as you don't have to right-click, hold down a > set of keys, or > some equivalent forgetful thing on your phone. > > > -- > https://annevankesteren.nl/ > >
Received on Saturday, 6 February 2016 01:42:04 UTC