Closed Bug 467290 Opened 16 years ago Closed 16 years ago

Private browsing prevents read from disk in addition to write to disk, disabling many websites

Categories

(Firefox :: Private Browsing, defect)

PowerPC
macOS
defect
Not set
major

Tracking

()

RESOLVED INVALID

People

(Reporter: notforyourmail, Unassigned)

References

()

Details

(Whiteboard: [invalid?])

User-Agent:       Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b3pre) Gecko/20081130 Minefield/3.1b3pre
Build Identifier: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b3pre) Gecko/20081130 Minefield/3.1b3pre

If you enable private browsing, then many websites that rely upon cookies fail to work.  For example, Yahoo Mail will not allow you to log into its site, because it can not set a cookie, and it can not receive a cookie from your hard drive.  Compare this behavior to private browsing in Safari, where all sites work, but no data about which sites you visited is recorded, and no cookies are stored.  No sites that I regularly use that require a login were fully functional in private browsing mode.

Perhaps Private Browsing could be split into two modes, or have two different levels of functionality.  One would not record any data on your machine,  The other would not send any data such as cookies to remote websites.  I question the value of the second set of functionality though, because websites already know which machines are visiting them with reasonably high certainty based on their IP address.  (Yes, an IP isn't a unique identifier, can change, and can be forged, but breaking the sites isn't really useful as a user.)

Another solution would be to copy all cookies and other data into memory, then alter only the in-memory copy when private browsing is enabled.  When it is disabled, the browser can erase the in memory copies, and use the normal on disk copies.

Reproducible: Always

Steps to Reproduce:
1.  Enable private browsing
2.  Go to a site where you have a login, such as mail.yahoo.com or slashdot.org
3.  Can't log in, and no functionality available only to logged in users is available
4.  Disable private browsing
5.  Can log in (or already logged in), but browsing data is saved to the local machine.
Actual Results:  
Many websites break.  Badly.

Expected Results:  
Websites should work but data should not be altered on disk.
(In reply to comment #0)

> Another solution would be to copy all cookies and other data into memory, then
> alter only the in-memory copy when private browsing is enabled.  When it is
> disabled, the browser can erase the in memory copies, and use the normal on
> disk copies.

IIRC this is exactly what was implemented, will reverify later...
Not everyone commenting here has a Yahoo account.  But we *can* assume
that everyone has an account at bugzilla.mozilla.org.

I'm not able to reproduce what you report with my bmo account (which I
know does rely on storing information in a cookie).  Here's what I did:

1) Start Minefield.

2) Turn on private browsing.

3) Visit https://bugzilla.mozilla.org/.

   You will always find that you need to log in, even if you've set
   Minefield to store your bmo account and password.  In other words,
   Minefield will lose track of the information (stored in a cookie)
   that shows you were already logged in.

   But, though you do have to specify your account and password, you
   *are* able to log in.

Side note:  Don't try steps 2 and 3 if you've already visited
https://bugzilla.mozilla.org/ before turning on Private Browsing.
You'll get hit by bug 463256.
I just tried it again with mail.yahoo.com, and this time, I was able to log in.  I also tried going to slashdot, and was not logged in because it didn't send the cookie data.

But this doesn't make sense if, as Natch stated, the cookies are copied into memory and modified in memory only.  If the cookies are copied into memory, you should see no difference in any site while you do private browsing, because those sites should be reading appropriate data from your cookies.  However, when you turn off private browsing, there should be no modifications to your cache or cookies.  But what is actually happening is that you must now log in to every web site again in order to make use of them, which is very inconvenient.  This doesn't protect your privacy in most cases, since you must still log in, although it does add some degree of anonymity to visiting a website that you would not have had before.  However, it does make it much less convenient to use private browsing.  Additionally, because Firefox gets rid of all of your current browser windows while you have private browsing enabled, switching to private browsing can be very disruptive.

Example:
You have several Firefox windows open with work in several tabs.  You want to use private browsing while visiting one website.  You must now stop all work in the other tabs because you have private browsing turned on.  Additionally, if you have windows in different spaces on OS X, your windows will not restore to the same spaces when you turn off private browsing (since Firefox doesn't save space information when it saves your windows and tabs.)  If you were filling out a mozilla bug report, composing an e-mail, or performing other similar actions in non-private tabs, you may lose that data when you switch to private mode.

As currently implemented, it's actually much more convenient to enable private browsing in an entirely different browser, because that doesn't change the state of Firefox.

Why not mark individual tabs or windows as "Private" somehow, so that a user can use both private and non-private modes simultaneously?  At the very least, the browser should still be able to use previously set cookies by reading them into memory and modifying the copy in memory in a private window or tab.  It should never disrupt your ability to use what you were previously using, and shouldn't force you to log back in to every site every time you use it.
If what you are experiencing is that your logged in sessions are no longer logged in inside the private browsing mode (i.e., you have to re-login), then this is the intended behavior.
Whiteboard: [invalid?]
That is part of what I'm experiencing.  The problem here seems to be different (conflicting?) notions of privacy.  There are 3 cases:

1) The user does not want any information about their browsing session recorded to their hard drive.
2) The user wants to browse (somewhat) anonymously - in this case, preventing remote sites from having information about who is connecting to them
3) 1 and 2 are both true.

The problem here comes from Firefox's privacy mode always using case 3, when only case 1 or case 2 are true.  For example, case 2 is valid but case 1 is not when the user wants to interact with remote sites without sending cookies or other data that might have been set previously, but doesn't care if the data is cached.  Case 1, but not case 2 is valid if the user wants to keep data off of their computer for some reason, but doesn't care if remote sites can use previously set cookies.  Currently, privacy mode always assumes case 3, which makes things much more difficult for a user who wants only case 1 or case 2.

So why is case 3 a problem?  Let's say, for example, that I've just been browsing on a public machine.  I'm not going to leave this machine for a while, so I've logged into my favorite mail site.  I've also logged into facebook, an online newspaper, igoogle, etc.  So I have some large number of sessions that I want to maintain.  Now I read some news that impacts a company that I've invested in.  I need to sign in NOW and sell my stock, because it will be worthless if I wait, so I can't go home and log in from my personal machine.  Clearly, I don't want this data recorded to the public machine's drive, so this is a great use for privacy mode.  But I don't want to lose my browser state at those other sites - I need to be able to see my mail at the same time that I'm saving my investments, and I'm in the middle of a chat on facebook.  Maybe I'm half way through a bugzilla bug report too!  As currently implemented, when I switch to privacy mode, I lose all of my state (at least temporarily), and have to start over with everything again, logging back into my 5 or 6 different sites!  This is very inconvenient.  What I really want is the Case 1 mode, where I don't lose my state, but no data is saved (even better if it is window specific).  As currently implemented, privacy mode disrupts everything else that you are doing.

Case 1 is the case that I would imagine most people would actually intend to use most of the time.
Case 2 is probably useful only on occasion, but might still be useful for some people.
Case 3 is only useful if both cases 1 and 2 are...which is rare.
Mass moving of all Firefox::General private browsing bugs to Firefox::Private Browsing.
Component: General → Private Browsing
QA Contact: general → private.browsing
You're mistaken with the case 2.  Case 2 is not about anonymous browsing (which we *don't* try to achieve).  It's about keeping websites from being able to tie your private and non-private browsing sessions together.  The objective here is to serve the user's privacy.

Let's see what happens if this doesn't happen.  Suppose that you're logged in to Google, and enter the private mode.  If the cookies are sent to Google at this stage, then Google would be able to identify you, and possibly offer some services to you, such as storing your search history.  Now, you probably don't want the term "wedding ring" to appear in your Google search history if you've searched for it during the private browsing mode.  That is why we disable some services (such as sending the cookies stored in non-private sessions) inside the private browsing mode.
Good point.  I hadn't thought of that.  But there is still a tradeoff there between privacy and all of the problems that I described above with the loss of state.  So why not allow both states at the same time.  If the user chooses privacy mode, start a new window that runs in that mode.  Leave existing windows open, in non-privacy mode.  Something visual could be used to identify the private window as private (I believe Google Chrome does this.)  Then, users won't lose their state.

Another alternative is to continue to use the same windows, but to stop sending cookie data when the user enters privacy mode.  This means that there would be a minimized loss of state (for example, I would not lose the entry that I'm currently typing in bugzilla), but server side data tied to the user would no longer be sent to the browser.
(In reply to comment #8)
> Good point.  I hadn't thought of that.  But there is still a tradeoff there
> between privacy and all of the problems that I described above with the loss of
> state.  So why not allow both states at the same time.  If the user chooses
> privacy mode, start a new window that runs in that mode.

This is bug 463027.  We currently lack the required technology to be able to make this happen easily, but that will most likely change in the future.

> Leave existing
> windows open, in non-privacy mode.  Something visual could be used to identify
> the private window as private (I believe Google Chrome does this.)  Then, users
> won't lose their state.

We don't probably want such obvious visual identifications, because we don't want someone passing by to be able to tell whether you're in the private mode by the looks of your browser.

> Another alternative is to continue to use the same windows, but to stop sending
> cookie data when the user enters privacy mode.

We have considered this before, but there is no easy way for a user to determine which pages have loaded inside the private mode and which ones have been loaded during the non-private mode, so it's not a good idea.

>  This means that there would be
> a minimized loss of state (for example, I would not lose the entry that I'm
> currently typing in bugzilla), but server side data tied to the user would no
> longer be sent to the browser.

There is no loss of state, anything you type in a page will be  restored when you leave the private browsing mode.  There is just this temporary unavailability of the state, which we don't have a nice way to solve.

I'm going to resolve this as INVALID.  Feel free to continue the discussion here if you have further ideas (or open new bugs if you have ideas regarding other things pertaining to the private browsing mode).

Thanks!
Status: UNCONFIRMED → RESOLVED
Closed: 16 years ago
Resolution: --- → INVALID
Hmmm...how about a nonobvious visual indicator?  For example, maybe the cursor would change into something different if the user holds down a certain key combination while moving their mouse over the Firefox window.  That way, they can check the window status when they know that no one is looking over their shoulder.

I'm not sure that a visual indicator is really a problem.  Assume that you have something in your browser that you don't want a passer by to see.  Then if they look at your window, they will see whatever it is anyway, right?  To use your previous example, if your girlfriend walks by and sees pictures of wedding rings all over the window, it's a pretty good bet what you just searched for, even if the browser itself doesn't show that you are in private mode.  In other words, any time that someone else can see your browser, they can also see what is IN your browser.  So a privacy indicator doesn't matter.  If you care that they don't know what is there, you've just blown it anyway.  :-)  If you don't care, then it doesn't matter that you are in privacy mode.

From your blog, it looks like the browser always displays (private mode) when in private mode anyway.  So you can tell which windows are private and which are not just by displaying (private mode) in the title of the private ones without giving away anything that you aren't already...
The visual indicator thing is just a side-topic here.  The title change is obvious enough for the user herself, but is not distinguishable from a distance by passer-by's, because it's text-only.

And in the wedding ring example, if you hear your girl friend entering the room, you may simply switch to an unrelated tab (such as your web mail app) and she won't suspect anything, unless she sees a graphical icon indicating that you're in the private mode (and in that case shopping for wedding rings might not be the first thing which comes to her mind, so you're in for a trouble!)  ;-)
You need to log in before you can comment on or make changes to this bug.