Closed Bug 464792 Opened 16 years ago Closed 15 years ago

Exit Private Browsing mode when all windows are closed

Categories

(Firefox :: Private Browsing, defect)

Product:
Firefox
Component:
Private Browsing
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: ehsan.akhgari, Assigned: ehsan.akhgari)

References

Details

(Keywords: privacy)

Attachments

(1 file, 1 obsolete file)

Patch (v1)
5.16 KB, patch
mconnor
: review-
Details | Diff | Splinter Review 
Spinoff from bug 411929 comment 61:

We need to exit the private browsing mode as soon as the last browser window has been closed.  Otherwise we run the risk of "leaking" the information that the user has been browsing inside the private browsing mode to possible people from whom the whole thing was meant to be kept secret.

Patch forthcoming.
Flags: in-litmus?
Tell me if I'm wrong: This is the Mac version of bug 463188, isn't it, because on the Mac (and only on the Mac) you can close all windows without quitting the application?
Mass moving of all Firefox::General private browsing bugs to Firefox::Private Browsing.
Component: General → Private Browsing
QA Contact: general → private.browsing
Ehsan, can you give a status update? I think due to the privacy concerns it should be handled with a higher severity.
Severity: normal → major
Flags: blocking-firefox3.1?
Hardware: x86 → All
IMHO this should be done regardless of platform when all browser windows are closed even if there are other non-browser windows still open. Just my .02, ignore at will :-)
That makes sense. Here some simple STR:

1. Entering PB mode
2. Open Library
3. Close all browser windows
4. Open a bookmark from within the Library

After step 4 we are still in PB mode. I would also tend to say that users expect to stay in regular browsing mode from now on. Alex, shall we enhance this bug to all platforms/OS?
(In reply to comment #5)
> That makes sense. Here some simple STR:
> 
> 1. Entering PB mode
> 2. Open Library
> 3. Close all browser windows
> 4. Open a bookmark from within the Library
> 
> After step 4 we are still in PB mode. I would also tend to say that users
> expect to stay in regular browsing mode from now on. Alex, shall we enhance
> this bug to all platforms/OS?

Makes sense to me.  -> OS: All.
OS: Mac OS X → All
(In reply to comment #3)
> Ehsan, can you give a status update? I think due to the privacy concerns it
> should be handled with a higher severity.

I've been stumped with other work recently, but hopefully that will change by next week and I'll be back on my full speed.  I'll give this priority.
Whiteboard: [PB todo]
Ehsan, that's no problem. Enjoy Christmas first!
Attached patch WIP (obsolete) — Splinter Review 
WIP patch.

It seems like nsIWindowMediatorListener's onCloseWindow method is not called at all.  And I'm not sure how to get a nsIDOMWindow from a nsIXULWindow which should be passed to onCloseWindow...
Doesn't block, nice to have, though for completeness. We're pretty clear about what it takes to exit Private Browsing mode when one enters it.
Flags: wanted-firefox3.1+
Flags: blocking-firefox3.1?
Flags: blocking-firefox3.1-
Attached patch Patch (v1)Splinter Review 
domwindowclosed was the key here.
Attachment #355570 - Attachment is obsolete: true
Attachment #361071 - Flags: review?(gavin.sharp)
Whiteboard: [PB todo]
Whiteboard: [has patch][needs review gavin]
Gavin: could you please provide an ETA on this review?
Comment on attachment 361071 [details] [diff] [review]
Patch (v1)

I'm actually pretty sure this is the wrong fix.  If Downloads is open, and I'm downloading stuff in PB mode, and exiting will force me out of PB mode.  I think that users should exit the app if they don't want people to discover they were using PB mode.  The user will know they're still in PB mode when they open a window, so they should figure this out.  If they're concerned about data leakage, they can make sure they exited the window.  This isn't new to PB mode, see also stuff about sites telling users to exit completely to complete logout.
Attachment #361071 - Flags: review?(gavin.sharp) → review-
So are you suggesting WONTFIXing this bug?
Whiteboard: [has patch][needs review gavin]
I'm suggesting we need to decide which is of greater concern:

a) The data leak from other users discovering a person was in private browsing mode

or 

b) The data leak from users not noticing they're _not_ in private browsing mode despite not reversing their explicit choice to enter private browsing mode, and browsing to whatever they're trying to keep private.

b) is my bigger concern.

This bug strikes me as trying to be too clever by half, and I'd like someone to convince me that a) should be a bigger concern...
Well for one most users aren't fully aware of the app - browser distinction. That is to say, most inexperienced users don't think twice after hitting the [x] on the browser window to check for other windows (ie the downloads or library window). That's how the confusion of bug 354894 happened...

> a) The data leak from other users discovering a person was in private browsing
> mode

It's a lot more than that being that the session is still in memory and readily available.
(In reply to comment #16)
> > a) The data leak from other users discovering a person was in private browsing
> > mode
> 
> It's a lot more than that being that the session is still in memory and readily
> available.

What do you mean?  You mean the non-private session?  How come that will be a problem?
No I mean the private session. Take user a visits a few sites in pb mode, then shuts down the browser (leaving the downloads window open) and leaves his computer. Now user b comes and looks through the cookies to see what user a visited. This can especially happen in kiosk mode where autostart is enabled...
Fair enough.  mconnor, what do you think?
If you're in autostart mode, this patch will force you out of private browsing mode.  That certainly isn't expected results...  We don't have a supported "kiosk mode" either.  So that point's kinda confusing.  The only way to solve the problem you're raising in a safe way is to exit the app when the last browser window closes.  That's wrong on Mac at least, but probably wrong on all platforms, especially if users are using extensions like Chatzilla.

Also, you certainly can't assert that Mac users don't know the difference between closing windows and quitting.  That's how every app on the platform works.  Nor can you assert "most users" don't understand the difference.  I think that's generally hard to argue without evidence...

I think the data leaked when unknowingly no longer in private mode is a lot more damaging (and complete) than what is available if another user accesses your machine without you properly exiting private mode.  If I think I'm in private mode, I'll have lots of juicy history persisted, and I might not even realize it.  I think if users want to end their session, they need to exit the app, and if they need to learn a little to do that, that's fine.  Most people seem to have figured that out for session restore, or that feature would be a lot less useful.
Talked to Alex and discussed this more.  There's explicit instructions for exiting private browsing, and this really just complicates things.  Going to mark WONTFIX.
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → WONTFIX
Flags: in-litmus?
The ideal solution is of course the ability to have private browsing windows, so we will hopefully be able to address this usability problem at some point in the future.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: