484439 - Is it safe to turn off private browsing while in autostart mode?

Status: RESOLVED INVALID

(Firefox :: Private Browsing, defect)

Description

[Nochum Sossonko [:Natch]]

This came up in a few bugs, and it seems that this needs to be guarded against. IMHO it shouldn't be possible to turn off pb while in autostart mode as the user has made an explicit choice to have it always on.

However, if it should be possible (which it is now) this must be guarded against, details of some minor bugs encountered to follow.

Comment 1

[(no longer active)]

In the always-on mode, we disable the menu item to leave the private browsing mode, so the user doesn't currently have any means to leave that mode.  However, bug 462041 will require the possibility of leaving the private browsing mode while inside the always-on mode.

What problems are you referring to?

Comment 2

[Nochum Sossonko [:Natch]]

Well without bug 462041, extensions can disable pb mode. One of the minor bugs:

STR:

1) Set autostart pref to true.
2) Restart firefox.
3) Navigate to some site.
4) Run
| Components.classes["@mozilla.org/privatebrowsing;1"].
getService(Components.interfaces.nsIPrivateBrowsingService).
privateBrowsingEnabled = false | in the error console.

5) rerun that only with | = true |
6) Restart firefox.
7) site from #3 is loaded.

I still have to check this against latest trunk, will update then. Also I'm not sure how some of the patches (i.e. bug 481598) will affect this...

Comment 3

[(no longer active)]

Well, protecting against Murphy is one thing, protecting against Machiavelli is
another.  :-)

I don't think we're going to try to protect against any incorrect things that
extensions can do.  Even if we do protect against this specific scenario, and
extension can find other ways to cause chaos (to the extent of replacing the
private browsing service with its own implementation!).

I think the current UI guards against incorrect actions from the user pretty
well, and if an extension exposes the PB service on its own, it should handle
such cases on its own as well.

Mike, what do you think?

Comment 4

[Nochum Sossonko [:Natch]]

Btw, this isn't totally paranoia, I don't see anywhere in the documentation that one has to check the autoStarted property before shutting down private browsing mode. This really is something extensions may not look out for, and conversely, if an extension has checked autoStarted can it not assume that private browsing mode is enabled?

IMHO these two settings should be bound to each other, specifically:

if (pb.autoStarted) must be (pb.privateBrowsingEnabled)

the same is vice-versa.

Comment 5

[(no longer active)]

Actually with the new privacy prefpane work in bug 462041, it will be a supported operation to exit the private browsing mode from auto-start sessions.

What I have done in that bug is to use the keep_current_session pref when switching the private browsing mode on and off.

The |if (pb.autoStarted) must be (pb.privateBrowsingEnabled)| equation actually holds in that patch, BTW.

(In reply to comment #4)
> Btw, this isn't totally paranoia, I don't see anywhere in the documentation
> that one has to check the autoStarted property before shutting down private
> browsing mode.

We impose no such obligation in the private browsing service.  In fact, inside the unit tests we test to make sure this operation is definitely supported!

> This really is something extensions may not look out for, and
> conversely, if an extension has checked autoStarted can it not assume that
> private browsing mode is enabled?

No, it can't as a general rule.  This has the same effect as one going into about:config and flipping the auto-start pref manually: nothing will change until the browser is restarted.

Comment 6

[Nochum Sossonko [:Natch]]

Fair enough, I'll mark as dependent and will reevaluate when that lands.

Comment 7

[Nochum Sossonko [:Natch]]

->INVALID, now with bug 462041...