W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2016

Re: Proposal to add a browsing context named "_private"

From: Patrick Toomey <patrick.toomey@github.com>
Date: Mon, 11 Jan 2016 22:27:06 +0000
Message-ID: <CAN4Q8dBWZ2=cOvFOCVvVSYuW-1Zy0ksE2EoQ3nazwa6TrBGfdQ@mail.gmail.com>
To: timeless@gmail.com
Cc: Richard Barnes <rbarnes@mozilla.com>, Utkarsh Upadhyay <musically.ut@gmail.com>, WebAppSec WG <public-webappsec@w3.org>
> Yeah, the current system means that an evil site could figure out that
you're using incognito and link the two (normal, incognito) if we
don't do what you propose. Although, technically most sites could just
assume that two clients w/ the same ip and general browser shape are
probably the same even if credentials don't match...

I was more thinking about maliciousness between browsing contexts. For
example, while incognito mode doesn't seem explicitly designed for this,
let's say I open up an new incognito mode window and visit
www.supersecretsite.com and login. And, let's say there is some GET based
XSS that can be triggered on that site. I would personally assume that
there should be no way for a non-incognito window to initiate a request
(particularly one that is using my incognito cookies) to my incognito
window with the XSS payload. It feels as though the possibility of such a
scenario violates a privacy expectation.

On Mon, Jan 11, 2016 at 3:19 PM timeless <timeless@gmail.com> wrote:

> On Mon, Jan 11, 2016 at 5:12 PM, Patrick Toomey
> <patrick.toomey@github.com> wrote:
> > I don't dislike the idea, but I wonder if it is as trivial as it seems.
> For
> > example, do any browsers currently support a per-window private mode?
>
> I believe Chrome is pretty close to being able to do it, since afaict,
> it supports multiple active user profiles.
>
> > With
> > Chrome, it seems like the current implementation supports two contexts,
> > incognito and non-incognito. For example, let's say I do the following:
> >
> > * open a private mode window with "New incognito window"
> > * visit a site (say www.somesite.com)
> > * login
> >
> > If I then go back to my non-incognito window and open a new private mode
> > window using "New incognito window", the new window seems to have the
> same
> > context as my first incognito window. If I go back to www.somesite.com,
> my
> > cookies are shared and I am currently logged in.
>
> Yeah, the current system means that an evil site could figure out that
> you're using incognito and link the two (normal, incognito) if we
> don't do what you propose. Although, technically most sites could just
> assume that two clients w/ the same ip and general browser shape are
> probably the same even if credentials don't match...
>
> > It seems as though, if one is going to allow a third-party site to
> initiate
> > opening of a private-mode window, it might be better to force a new
> browsing
> > context, with nothing shared with any existing private mode windows. That
> > sounds doable, and possibly even trivial. But, it does seem like those
> kinds
> > of things would have to be more fully fleshed out.
>
>
> The UX will not be fun to design. Because you then have to explain
> visually to a user that this private window isn't connected to that
> private window.
>
> I'm not opposed to this feature, just warning about the problems that
> it entails...
>
Received on Monday, 11 January 2016 22:27:45 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:17 UTC