W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2016

RE: Proposal to add a browsing context named "_private"

From: Crispin Cowan <crispin@microsoft.com>
Date: Mon, 11 Jan 2016 22:57:17 +0000
To: Joel Weinberger <jww@chromium.org>, "timeless@gmail.com" <timeless@gmail.com>, Patrick Toomey <patrick.toomey@github.com>
CC: Richard Barnes <rbarnes@mozilla.com>, Utkarsh Upadhyay <musically.ut@gmail.com>, WebAppSec WG <public-webappsec@w3.org>
Message-ID: <BN3PR0301MB122019999BECAA65EFBC624CBDC90@BN3PR0301MB1220.namprd03.prod.outlook.com>
Sorry, I don’t like it. The decision to go “in private” is the user’s, based on their particular social context of whether they want this browsing to be discoverable. The web site has no business telling the browser whether or not to preserve this browsing history.

Some examples:

·         Shopping for jewelry: not normally salacious, but one might want to do it in-private if shopping for a spouse’s surprise gift, and especially if one is shopping for a secret mistress’s gift.

·         Gay sites don’t need to be in-private at all if you are George Michael, but they really need to be in-private if you are Larry Craig.

·         I use my history a lot, and my wife does not care at all what sites I visit. I would be REALLY offended if a web site turned off my history for me.

The one counter-example I can think of is AshleyMadison.com which the typical user would just about always want to be in-private. Except for the journalists & such who investigated it after the scandal broke, and they would probably be annoyed at having their history blocked.

So, no thanks, don’t want to do that.

From: Joel Weinberger [mailto:jww@chromium.org]
Sent: Monday, January 11, 2016 2:29 PM
To: timeless@gmail.com; Patrick Toomey <patrick.toomey@github.com>
Cc: Richard Barnes <rbarnes@mozilla.com>; Utkarsh Upadhyay <musically.ut@gmail.com>; WebAppSec WG <public-webappsec@w3.org>
Subject: Re: Proposal to add a browsing context named "_private"

Why is the current Firefox/Chrome approach of offering an "open in private window" menu choice not sufficient? It seems like it provides strictly more user control, and I don't really see a time when a site would know better than the user that it should be "private".

Which also raises the question of what "private" actually means. The Chrome guarantees are misunderstood commonly enough, and I suspect are not consistent with Firefox's guarantees. This feature would require formalizing these modes, and that seems tricky at best, since the user agents are not necessarily providing the same guarantees.

In any case, I'd like to better understand the use case of when a site knows that a link should be opened "privately" and it shouldn't be the users choice before we go too far down this path.
--Joel

On Mon, Jan 11, 2016 at 2:21 PM timeless <timeless@gmail.com<mailto:timeless@gmail.com>> wrote:
On Mon, Jan 11, 2016 at 5:12 PM, Patrick Toomey
<patrick.toomey@github.com<mailto:patrick.toomey@github.com>> wrote:
> I don't dislike the idea, but I wonder if it is as trivial as it seems. For
> example, do any browsers currently support a per-window private mode?

I believe Chrome is pretty close to being able to do it, since afaict,
it supports multiple active user profiles.

> With
> Chrome, it seems like the current implementation supports two contexts,
> incognito and non-incognito. For example, let's say I do the following:
>
> * open a private mode window with "New incognito window"
> * visit a site (say www.somesite.com<http://www.somesite.com>)
> * login
>
> If I then go back to my non-incognito window and open a new private mode
> window using "New incognito window", the new window seems to have the same
> context as my first incognito window. If I go back to www.somesite.com<http://www.somesite.com>, my
> cookies are shared and I am currently logged in.

Yeah, the current system means that an evil site could figure out that
you're using incognito and link the two (normal, incognito) if we
don't do what you propose. Although, technically most sites could just
assume that two clients w/ the same ip and general browser shape are
probably the same even if credentials don't match...

> It seems as though, if one is going to allow a third-party site to initiate
> opening of a private-mode window, it might be better to force a new browsing
> context, with nothing shared with any existing private mode windows. That
> sounds doable, and possibly even trivial. But, it does seem like those kinds
> of things would have to be more fully fleshed out.


The UX will not be fun to design. Because you then have to explain
visually to a user that this private window isn't connected to that
private window.

I'm not opposed to this feature, just warning about the problems that
it entails...
Received on Monday, 11 January 2016 22:57:47 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:17 UTC