Closed Bug 528416 Opened 15 years ago Closed 15 years ago

Download Directory Persists After "Clear Recent History"

Categories

(Firefox :: Private Browsing, defect)

Product:
Firefox
Component:
Private Browsing
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Firefox 3.7a1
Tracking Flags:
Tracking Status
blocking1.9.2 --- needed
status1.9.2 --- .4-fixed
blocking1.9.1 --- needed
status1.9.1 --- .10-fixed

People

(Reporter: adamator, Assigned: ehsan.akhgari)

Details

(Keywords: privacy, verified1.9.1, verified1.9.2)

Attachments

(2 files)

Patch (v1)
7.65 KB, patch
Gavin
: review+
faaborg
: ui-review+
dveditz
: approval1.9.2.4+
dveditz
: approval1.9.1.10+
Details | Diff | Splinter Review
Comments
1.78 KB, patch
sdwilsh
: review+
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 (.NET CLR 3.5.30729)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5 (.NET CLR 3.5.30729)

Firefox remembers where you last downloaded a file to.  The next time you try to download a file, it automatically points to the same directory in windows.  This is generally a very useful feature, but there doesn't seem to be a way to clear this data without downloading a file to a different directory.

It would improve browsing privacy if "Clear Recent History" had an option to reset download location to whatever the default directory is.

Reproducible: Always

Steps to Reproduce:
1.  Download a file to a local folder.
2.  Go to another web page, and download another file--verify that Firefox automatically opens the last folder as the default location where the download will take place.
3.  Go to Tools->Clear Recent History
4.  Download another file, verify that Firefox still points to the same, last-selected directory.


Expected Results:  
After Clear Recent History, Firefox should move the directory suggested as a download location to Desktop or a default downloads folder.
Assignee: nobody → ehsan
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Version: unspecified → Trunk
Keywords: privacy
Attached patch Patch (v1)Splinter Review 

        Attachment #412273 -
        Flags: review?(gavin.sharp)

    
    

    
  
Comment on attachment 412273 [details] [diff] [review]
Patch (v1)

You should get ui-review on this...

        Attachment #412273 -
        Flags: review?(gavin.sharp) → review+
OS: Windows Vista → All
Hardware: x86 → All

    
  

        Attachment #412273 -
        Flags: ui-review?(faaborg)

        Attachment #412273 -
        Flags: ui-review?(faaborg) → ui-review+

    
    

    
  
http://hg.mozilla.org/mozilla-central/rev/9dd8a336cd7f
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → Firefox 3.7a1

    
  

        Attachment #412273 -
        Flags: approval1.9.2?

    
    

    
  
I'd appreciate being cc'd to bugs that change behavior in modules that I own (namely the download manager).  It looks like this always clears the preference when the user exits private browsing, which feels like a bad user experience to me.  Is this correct?  Why do we even want to clear the last download directory when clearing history?  We aren't clearing the recent docs list where all the downloads went to, so we aren't giving away any more user history than what is easily available.  For that matter, what value does knowing the last downloaded to directory anyway?

This feels like we've used the hammer we have because that's all we had, but the experience seems sub-par here.

I'd like to see more comments in the download manager code to make it more clear as to what's going on and why we are doing what we are doing.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---

    
    

    
  
(In reply to comment #4)
> I'd appreciate being cc'd to bugs that change behavior in modules that I own
> (namely the download manager).

Oh, sorry; I'll make sure to do that in the future.

>  It looks like this always clears the preference
> when the user exits private browsing, which feels like a bad user experience to
> me.  Is this correct?

No.  Inside the private browsing mode, the last download directory is never stored in the prefs store, and is merely held inside a variable in memory, which is cleared when exiting the private browsing mode.  This is done to protect users from revealing their last download directory which most likely contains files which they have downloaded throughout their private browsing session.

>  Why do we even want to clear the last download directory
> when clearing history?

If you consider history as being the data implicitly gathered by the browser during the browsing session, then the last download directory is also part of the history.

>  We aren't clearing the recent docs list where all the
> downloads went to, so we aren't giving away any more user history than what is
> easily available.  For that matter, what value does knowing the last downloaded
> to directory anyway?

I think it could reflect files downloaded to a particular directory.  Consider this use case:

1. The user downloads some files that doesn't want anybody else to know about.
2. He tries to clear the last hour of browsing history to cover his tracks.
3. The last download directory at this point reveals the directory that the files have been downloaded to, which can lead to revealing the files in many cases.  Without this fix, we don't expose any way in our privacy UI for clearing this download directory.

> This feels like we've used the hammer we have because that's all we had, but
> the experience seems sub-par here.

What do you think, Alex?

> I'd like to see more comments in the download manager code to make it more
> clear as to what's going on and why we are doing what we are doing.

Sure, I'll submit a patch for that.

    
    

    
  

      
      
      
      

        Attached patch
          
          
        CommentsSplinter Review
      

    


  

        Attachment #412932 -
        Flags: review?(sdwilsh)

    
    

    
  
(In reply to comment #5)
> I think it could reflect files downloaded to a particular directory.  Consider
> this use case:
> 
> 1. The user downloads some files that doesn't want anybody else to know about.
> 2. He tries to clear the last hour of browsing history to cover his tracks.
> 3. The last download directory at this point reveals the directory that the
> files have been downloaded to, which can lead to revealing the files in many
> cases.  Without this fix, we don't expose any way in our privacy UI for
> clearing this download directory.
But they'll still show up in Recent Documets on windows, which is why I'm confused as to how this helps anything.

    
    

    
  
Comment on attachment 412932 [details] [diff] [review]
Comments

r=sdwilsh, although I still don't think this is the right behavior and would like clarification from the UX team.

        Attachment #412932 -
        Flags: review?(sdwilsh) → review+

    
    

    
  
(In reply to comment #8)
> (From update of attachment 412932 [details] [diff] [review])
> r=sdwilsh, although I still don't think this is the right behavior and would
> like clarification from the UX team.

The patch has already ui-review, but I'll let faaborg comment on this again.

    
    

    
  
> For that matter, what value does knowing the last downloaded
> to directory anyway?

I'm just trying to download my most recent bank statement when Firefox takes me to the curious location of

c:/pictures/cats/catsInLeotards/

>But they'll still show up in Recent Documets on windows, which is why I'm
>confused as to how this helps anything.

If we could control that, I think we probably should. But either way if the user gets embarrassed by Windows, they should (hopefully) direct their seething rage at Windows.  If the user gets embarrassed by Firefox, they are definitely going to direct their vitriolic fury at Firefox. (that's fury as in anger... nevermind).

> This feels like we've used the hammer we have because that's all we had, but
> the experience seems sub-par here.

When it comes to private browsing and clear recent history, data preservation is the new dataloss, we want to perform perfectly.  If we make a single mistake, the user will lose all confidence that we are actually clearing their tracks.

    
    

    
  
(In reply to comment #10)
> If we could control that, I think we probably should. But either way if the
> user gets embarrassed by Windows, they should (hopefully) direct their seething
> rage at Windows.  If the user gets embarrassed by Firefox, they are definitely
> going to direct their vitriolic fury at Firefox. (that's fury as in anger...
> nevermind).
I'll note that we add it to the Recent Docs.  We could not do this in private browsing mode, and maybe we should...

    
    

    
  
(In reply to comment #10)
> >But they'll still show up in Recent Documets on windows, which is why I'm
> >confused as to how this helps anything.

> if the user gets embarrassed by Windows, they should (hopefully) direct their
> seething rage at Windows.  

If I can interject for a moment--I originated this report, and the POV of an end user might be relevant here.  I do direct some of my "vitriolic fury" at Windows--we all know it's not the most secure or private OS.  However, I know I can clear recent documents through Windows.  It's fairly easy to do, and when it's appropriate I do so.  There is, however, no way at present to clear last download location.  None.  I may still have to take an extra step to erase my tracks within Windows, but Firefox's saved download directory persists and there's no way i've found to purge it--that's the issue.  Just my two cents.

    
    

    
  
> I know I can clear recent documents through Windows.  It's fairly easy to do
> and when it's appropriate I do so.  There is, however, no way at present to
> clear last download location.  None.

also a good point.

>I'll note that we add it to the Recent Docs.  We could not do this in private
>browsing mode, and maybe we should...

For some reason I didn't think we had any control over that, and just assumed that it was looking at changes in the file system.  I'll create a follow up bug.

    
    

    
  
Filed follow up bug 530235 for interacting with the Recent Documents menu.

    
  
Status: REOPENED → RESOLVED
Closed: 15 years ago15 years ago
Resolution: --- → FIXED

    
    

    
  
Comment on attachment 412273 [details] [diff] [review]
Patch (v1)

approval1.9.2 requests aren't currently being monitored, since we're nearing RC freeze and there are too many outstanding requests, so I'm clearing this request. Feel free to re-request approval if you are confident that it's worth drivers' time to consider whether this non-blocker needs to land for 1.9.2 at this stage.

        Attachment #412273 -
        Flags: approval1.9.2?

    
    

    
  
Comment on attachment 412273 [details] [diff] [review]
Patch (v1)

I think this is still worth to consider for 1.9.2.

        Attachment #412273 -
        Flags: approval1.9.2?

        Attachment #412273 -
        Flags: approval1.9.2? → approval1.9.2.2?

    
    

    
  
Comment on attachment 412273 [details] [diff] [review]
Patch (v1)

Nice little privacy fix with tests from Ehsan. Borderline, but we should probably take it in 1.9.2.3

        Attachment #412273 -
        Flags: approval1.9.2.2? → approval1.9.2.3?

    
    

    
  
This is a pretty serious flaw with our current private browsing implementation.  Anyone downloading content in private browsing is going to have the content exposed to the next user of the browser, which is a pretty huge information leak.  I am very strongly in favor of getting this in 1.9.2.3 (for some reason I thought it already landed).

    
    

    
  
Nominating for blocking 1.9.2.  I agree with Alex's evaluation in comment 19, and in fact I think I should have nominated this as blocking before.
blocking1.9.2: --- → ?

    
    

    
  
Do you think we should back-port this to 1.9.1?
blocking1.9.2: ? → needed

    
    

    
  
(In reply to comment #21)
> Do you think we should back-port this to 1.9.1?

Oh, yes!
blocking1.9.1: --- → ?

    
  

        Attachment #412273 -
        Flags: approval1.9.1.10?
blocking1.9.1: ? → needed

          status1.9.1:
          --- → wanted

          status1.9.2:
          --- → wanted

        Attachment #412273 -
        Flags: approval1.9.2.3?

        Attachment #412273 -
        Flags: approval1.9.2.3+

        Attachment #412273 -
        Flags: approval1.9.1.10?

        Attachment #412273 -
        Flags: approval1.9.1.10+

    
    

    
  
Comment on attachment 412273 [details] [diff] [review]
Patch (v1)

Approved for 1.9.2.3 and 1.9.1.10, a=dveditz for release-drivers

    
    

    
  
Verified for 1.9.1 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.10pre) Gecko/20100409 Shiretoko/3.5.10pre (.NET CLR 3.5.30729).

Verified for 1.9.2 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.4pre) Gecko/20100409 Namoroka/3.6.4pre (.NET CLR 3.5.30729).
Keywords: verified1.9.1, 
          
            verified1.9.2

    
    

    
  
Geez, took long enough...

Kidding!  You guys are awesome, thanks for taking my bug seriously!

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: