Privacy/Reviews/New Tab

From MozillaWiki
Jump to: navigation, search

Document Overview

Feature/Product: New Tab
Projected Feature Freeze Date: (tbd)
Product Champions: Tim Taubert & Asa Dotzler
Privacy Champions: David Dahl & Sid Stamm
Security Contact: Curtis Koenig
Document State: [AT RISK] needs resolutions


Timeline:

Architectural Overview: done
Recommendation Meeting: (date TBD)
Review Complete ETA: 1-June-2012

Architecture

In this section, the product's architecture is described. Any individual components or actors are identified, their "knowledge" or what data they store is identified, and data flow between components and external entities is described.

The main objective of this feature/product is:

The New Tab Page will be shown to the user when opening a new tab. It shows up to nine of the user's most visited URLs together with their thumbnails. The user can re-arrange or remove these sites. URLs can be blocked from appearing on the New Tab Page again. Any URL can be dropped onto the grid.

Design Documents:

http://people.mozilla.com/~shorlander/files/new-tab-prototype-i03/new-tab-prototype-i03.html

Components

Describe any major components in the system and how they interact. Also include any third-party APIs (those Mozilla does not control) and what type of data is sent or received via those APIs.

Note: All the components listed below are parts of the browser and are not third party services or software.

about:newtab

This is a normal web page that is presented to the user when opening a new tab. It accesses the Places component to retrieve the user's most visited sites and displays them. The thumbnail service is queried to retrieve a thumbnail for the URLs shown on the New Tab Page grid.

Stored Data:

What Where
URLs that should not be shown localStorage for about:newtab
URLs with specific positions localStorage for about:newtab

Communication with Places

Direction Message Data Notes
In: 100 most-visited sites List of URLs and titles


Communication with Thumbnail Service

Direction Message Data Notes
Out: URL of the page to get a thumbnail for string
In: Path to the thumbnail for a given URL string/nsIFile

Thumbnail Service

The thumbnail service captures thumbnails of web pages while the user navigates through the web. The currently displayed web content is captured and written to disk as a PNG file.

Stored Data:

What Where
Thumbnails as raw PNG files $PROFILE/thumbnails/ directory

Communication with about:newtab

Direction Message Data Notes
In: URL of the page to get a thumbnail for string
Out: Path to the thumbnail for a given URL string/nsIFile

User Data Risk Minimization

There is a patch for NOT caching data from SSL-enabled pages. This takes care of most of the problem with this feature.

See (for privacy concerns and ideas): bug 754608

Alignment with Privacy Operating Principles

In this section, the privacy champion will identify how the feature lines up with Mozilla's privacy operating principles.

See Also: Privacy/Roadmap_2011#Operating_Principles:

Principle: Transparency / No Surprises

A user may be surprised to see the thumbnails the first few times, but will get quite used to seeing this feature. It does not show sites the user hasn't visited, so they won't be surprised with "suggestions".

Risk: Users' private browsing history may be leaked from private browsing mode to regular mode through thumbnails that are created.

Requirement: Verify that this feature does not create and store new thumbnails during private browsing mode.

Resolution:
[NEW]

Principle: Real Choice

Users should have control over whether or not this feature is active.

Risk: Users will not like this feature but will not be able to disable it.

Requirement: Create a mechanism so users can disable this feature.

Resolution:
[DONE] create user pref to disable the new tab thumbnails
browser.newtabpage.enabled

Principle: Sensible Defaults

It is reasonable to enable this by default, since users tend to re-visit a few sites.

Risk: Thumbnails may contain private data, though, so where possible, thumbnails with sensitive data (such as bank account ledger, private emails, private photos, etc) should not be shown.

Requirement: Do not create and display thumbnails for pages displaying sensitive data. If possible, do not create thumbnails behind user log-in, or at least not for SSL sites where users have cookies set.

Resolution:
[ON TRACK] bug 754608 will disable thumbnailing of pages served via HTTPS

Principle: Limited Data

The data being collected is only that needed to display the thumbnails (this data already exists in the browser except for the thumbnail images).

Risk: Too many thumbnails will be stored and some may potentially have some sensitive or invalid data in them. By keeping very old thumbnails in the user's profile, we run the increased risk of disclosing sensitive information to someone sifting through the browser profile on the local machine.

Recommendations: Ensure that thumbnails that are no longer used are deleted from the users' browser profile.

Resolution:
[NEW] bug 754671 thumbnails directory keeps growing infinitely

Follow-up Tasks and tracking

What Who Bug Details
[NEW] Initial Overview Discussion  ? Meeting time TBD