Changes

Any data containing details such as the full or partial address of the pages visited by the user, or information saved on behalf of those sites either by the site or Firefox should not be written to the disk in a way that is exposed to the user either through the Firefox UI, or through the typical OR provided mechanisms for viewing the information on the disk. This means writing this information to a custom file, or a SQLite database in the user's profile is not permitted. However, protecting against scenarios such as attacking the disk-based page file used by the OS, or forensic analysis is outside of the scope of Private Browsing. This means that keeping that information in memory without any specific protection against the page being cached to the disk, or against probes inspecting the memory of the process at runtime is outside of the scope of private browsing.

In some specific cases, we decided that for UX reasons, we can take the user action as a request in order for something specific about the website to be remembered, and permit writing such information to the disk. For example, we take bookmarking as an explicit request from the user for the website to be remembered, so we save bookmarks in private windows. (However, we save it as an unvisited bookmark.) As another example, we don't disable saving permissions in the page info dialog from private windows.