Closed Bug 1201509 Opened 6 years ago Closed 5 years ago
View instance for private browsing should not save any sensitive data
When using the WKWebView instance for private browsing, the following should not be saved: - Visited pages (URLs) - Form data (including usernames and passwords) - Search entries - Cookies - Temporary Internet files (cached files) Starting in iOS 9, we have access to the web view's data storage and with the introduction of a new class named WKWebsiteDataStore, we can now swap the default with a non-persistant version: https://github.com/WebKit/webkit/blob/master/Source/WebKit2/UIProcess/API/Cocoa/WKWebsiteDataStore.h#L48 We should investigate using this and see if it provides all of the functionality we're looking for.
Related: Alamofire ephemeral. Account/FxAClient10.swift 217: let configuration = NSURLSessionConfiguration.ephemeralSessionConfiguration() We should use that if we need to make fetches in non-WebKit code.
Some notes: - Visited pages (URLs) Now that we no longer save a url to history when you navigate (https://bugzilla.mozilla.org/show_bug.cgi?id=1201515), autocomplete/search suggestions no longer will populate with previously searched/navigated to items. - Search entries See comment above about visited URLs - Cookies Seems that using the non-persistent WKWebViewDataStore prevents cookies from being stored. I tried to navigate to http://www.whatarecookies.com/cookietest.asp in a regular tab and NSHTTPCookieStorage returned 1 cookie where as a private tab returns no cookies. - Temporary Internet files (cached files) WKWebViewDataStore is built to save any of these cached files to memory instead of disk which results in the WebDB/LocalStorage/IndexedDB folders on disk to not contain any entries for private tabs. - Form data (including usernames and passwords) The password manager and autofill logic we have is in our own control. Do we want to still ask the user to save their logins while in private mode? <- Darrin Some other things to consider: - Network requests we make external to the web content such as favicons Is there anything else anyone can think of that we are hitting?
Discussed offline, private tabs should not offer to save any personal data.
- In-progress video/audio via media center
- Private tabs should not be synced or appear in sync panel
Since this bug encompasses a bunch of other ones, I'm promoting this one to a meta bug.
Summary: WKWebView instance for private browsing should not save any sensitive data → [meta] WKWebView instance for private browsing should not save any sensitive data
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.