Remove ability to override new tab page in private windows (about:privatebrowsing)

RESOLVED DUPLICATE of bug 1525125

Status

P1
normal
RESOLVED DUPLICATE of bug 1525125
2 years ago
13 days ago

People

(Reporter: ke5trel, Assigned: mixedpuppy)

Tracking

(Blocks: 2 bugs)

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: triaged)

(Reporter)

Description

2 years ago
The user may want a custom new tab page in private windows which would require overriding about:privatebrowsing. Chrome allows extensions that override the new tab page to work in incognito windows.
(Reporter)

Updated

2 years ago
Blocks: 1161828
Depends on: 1234150

Updated

2 years ago
Whiteboard: [private, new tab] design-decision-needed
Adding Javaun, as guidance around this would be needed. Third-party overrides would potentially allow info leaks and tracking in PBM, so we'd need to flesh this out from a Private Browsing PoV first.
Flags: needinfo?(jmoradi)

Comment 2

2 years ago
This has landed in bug 1234150 and currently this works in private browsing mode as well as normal mode by allowing you to override the new tab page.

I'm confused by comment 0 which contradicts the documentation "New Tab pages cannot be overridden in incognito windows" 

https://developer.chrome.com/extensions/override

Should we be restricting this in private browsing?
Flags: needinfo?(kev)
Per comment #1, looking for guidance from private browsing product.

My vote is yes. Custom newtabs can leak info to orgs other than mozilla. Users should be required to specifically enable an addon in private browsing mode to effect the changes they make.
Flags: needinfo?(kev)
(In reply to Kev Needham [:kev] from comment #3)
> My vote is yes. Custom newtabs can leak info to orgs other than mozilla.
> Users should be required to specifically enable an addon in private browsing
> mode to effect the changes they make.

And, to be clear, our newtab does not, iirc, leak info by default, where other newtabs can (and frequently do) load resources from third party sites.

Comment 5

2 years ago
Changing bug title to be clearer that we are planning on removing this ability. This ability was added in Firefox 53, so we'll need to land this patch soon to remove it - based on Javaun's feedback.
Summary: Ability to override new tab page in private windows (about:privatebrowsing) → Remove ability to override new tab page in private windows (about:privatebrowsing)

Updated

2 years ago
Priority: -- → P3
Whiteboard: [private, new tab] design-decision-needed → triaged
Clearing my NI (sorry it took so long) and adding Pdol, who is product owner for PBM
Flags: needinfo?(jmoradi) → needinfo?(pdolanjski)
(In reply to Andy McKay [:andym] from comment #5)
> Changing bug title to be clearer that we are planning on removing this
> ability. This ability was added in Firefox 53, so we'll need to land this
> patch soon to remove it - based on Javaun's feedback.

This seems like the right approach to me given the risk of newtab leaking info, unbeknownst to the user.
Flags: needinfo?(pdolanjski)
(Assignee)

Comment 8

10 months ago
setting p1/unassigned to force group re-triage
Priority: P3 → P1
Priority: P1 → P2
Blocks: 1460738

Updated

8 months ago
Product: Toolkit → WebExtensions
(In reply to Peter Dolanjski [:pdol] from comment #7)
> (In reply to Andy McKay [:andym] from comment #5)
> > Changing bug title to be clearer that we are planning on removing this
> > ability. This ability was added in Firefox 53, so we'll need to land this
> > patch soon to remove it - based on Javaun's feedback.
> 
> This seems like the right approach to me given the risk of newtab leaking
> info, unbeknownst to the user.

:pdol, I'm wondering if you could chime in on this (2-year old) bug again. We are planning to land bug 1457001 in release 66 which will require the user to explicitly opt-in to using any particular extension, including new tab page override, in private browsing windows. Is that sufficient from your point-of-view?  Or do we want to go a step further, and actually prohibit new tab page overrides from working in private browsing windows, which is what this bug is suggesting?
Flags: needinfo?(pdolanjski)

Upping to P1 because of timeline.

Priority: P2 → P1
(Assignee)

Updated

13 days ago
Assignee: nobody → mixedpuppy
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
(Assignee)

Comment 11

13 days ago

I'm closing this down. To long for ni, comments are referencing feedback outside the bug, etc etc.

Bug 1525125 and by extension bug 1380809 take care of user involvement in decided whether these work in pbm.

Status: ASSIGNED → RESOLVED
Last Resolved: 13 days ago
Flags: needinfo?(pdolanjski)
Resolution: --- → DUPLICATE
Duplicate of bug: 1525125
You need to log in before you can comment on or make changes to this bug.