W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2016

Re: Proposal to add a browsing context named "_private"

From: Joel Weinberger <jww@chromium.org>
Date: Mon, 11 Jan 2016 22:28:56 +0000
Message-ID: <CAHQV2KmomFMiOEDLAveiiov6EQGX9ztyWky-hQZ5tzncm8a3zg@mail.gmail.com>
To: timeless@gmail.com, Patrick Toomey <patrick.toomey@github.com>
Cc: Richard Barnes <rbarnes@mozilla.com>, Utkarsh Upadhyay <musically.ut@gmail.com>, WebAppSec WG <public-webappsec@w3.org>
Why is the current Firefox/Chrome approach of offering an "open in private
window" menu choice not sufficient? It seems like it provides strictly more
user control, and I don't really see a time when a site would know better
than the user that it should be "private".

Which also raises the question of what "private" actually means. The Chrome
guarantees are misunderstood commonly enough, and I suspect are not
consistent with Firefox's guarantees. This feature would require
formalizing these modes, and that seems tricky at best, since the user
agents are not necessarily providing the same guarantees.

In any case, I'd like to better understand the use case of when a site
knows that a link should be opened "privately" and it shouldn't be the
users choice before we go too far down this path.

On Mon, Jan 11, 2016 at 2:21 PM timeless <timeless@gmail.com> wrote:

> On Mon, Jan 11, 2016 at 5:12 PM, Patrick Toomey
> <patrick.toomey@github.com> wrote:
> > I don't dislike the idea, but I wonder if it is as trivial as it seems.
> For
> > example, do any browsers currently support a per-window private mode?
> I believe Chrome is pretty close to being able to do it, since afaict,
> it supports multiple active user profiles.
> > With
> > Chrome, it seems like the current implementation supports two contexts,
> > incognito and non-incognito. For example, let's say I do the following:
> >
> > * open a private mode window with "New incognito window"
> > * visit a site (say www.somesite.com)
> > * login
> >
> > If I then go back to my non-incognito window and open a new private mode
> > window using "New incognito window", the new window seems to have the
> same
> > context as my first incognito window. If I go back to www.somesite.com,
> my
> > cookies are shared and I am currently logged in.
> Yeah, the current system means that an evil site could figure out that
> you're using incognito and link the two (normal, incognito) if we
> don't do what you propose. Although, technically most sites could just
> assume that two clients w/ the same ip and general browser shape are
> probably the same even if credentials don't match...
> > It seems as though, if one is going to allow a third-party site to
> initiate
> > opening of a private-mode window, it might be better to force a new
> browsing
> > context, with nothing shared with any existing private mode windows. That
> > sounds doable, and possibly even trivial. But, it does seem like those
> kinds
> > of things would have to be more fully fleshed out.
> The UX will not be fun to design. Because you then have to explain
> visually to a user that this private window isn't connected to that
> private window.
> I'm not opposed to this feature, just warning about the problems that
> it entails...
Received on Monday, 11 January 2016 22:29:35 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:54 UTC