Changes

Private Browsing was initially designed as a way for the user to browse websites without having those websites show up in the information saved by Firefox to the persistent storage, and/or later be displayed in the Firefox UI. A secondary incidental use case was discovered by the way that people were using the feature was being able which allowed users to to log in to two websites using different authentication information instances of a website at the same timeusing different credentials.

Any data containing details such as the full or partial address of the pages visited by the user, or information saved on behalf of those sites either by the site or Firefox should not be written to the disk in a way that is exposed to the user either through the Firefox UI, or through the typical OR OS-provided mechanisms for viewing the information on the disk. This means writing this information to a custom file, or a SQLite database in the user's profile is not permitted. However, the scope of Private Browsing does not include protecting against scenarios such as attacking the disk-based page file used by the OS, or forensic analysis is outside of the scope of Private Browsing. This means that keeping that the OS is not prevented from caching the sensitive information in memory without any specific protection against the page being cached to the disk, or and there is no protection against probes inspecting the process memory of the process at runtime is , as such topics are outside of the scope of private browsingthis feature's intended threat model.

In For UX reasons, in some specific cases, we decided that for UX reasons, we can take the interpret a user 's action as a request in order for to persist something specific about the website to be remembered, and we therefore permit writing such information to the disk. For example, we take bookmarking as an explicit request from the user for the website to be remembered, so we save bookmarks in from private windows. (HoweverNote, however, that we save it as an unvisited bookmark.) As another example, we don't disable choose to allow saving permissions from private window in the page info dialog from private windows.

Two instances of the same website (one running in a normal window and one running the other in a private window ) must be isolated from each other, and be thus unable to exchange information through via the browser. This is the technical reason why we originally had to keep isolate the cookies for such websites separateinstances, since a session cookie set by a private window could be picked up by a non-private instance of the same site and be saved persisted to the disk from there. The only way that we can ensure that information cannot leak from one such site to the other and find its way to the disk is to make them unable to talk to each othercommunicate, or be treated and ensure that Gecko treats them as the same by Geckoindependent.

The interesting additional use case of simultaneous logins is a byproduct of this design decision.

The browser should make it difficult for the a website to tell if they are it is in a private browsing modewindow. Without this level of protection, the websites in the example in the above section could communicate to with each other and leak information through their common server by - the website in the private window phoning home can transmit the sensitive information , and the other instance picking could retrieve it up in the next sync or suchat a later time. But Ideally, the server should have a hard difficult time telling determining if one of these instances is in using private browsing mode. There are also UX reason reasons why users may not want the websites that they are visiting in private mode know to be aware of that fact.

From a pure purely technical standpoint, there are a few weak spots in the platform that make it impossible to block this effectively. Also, over the years, it has become more difficult to fix everything in the platform according to this rule. At the present, this is probably a lost cause in practice.

From a user's standpoint, their private session with a website is done when they close their private window. In order to support this, we clear our in-memory caches containing details about the sites that the user has visited when the last private window is closed. The reason behind This mismatch between the <i>last</i> part user's mental model and the implementation is the a technical feasibility limitation of thisthe platform.

** Experience suggests that users perceive believe that private browsing implies some amount of network level privacy, but from a technical standpoint, that this is a challenging problem of its own, so we have decided to not tackle it for now. It may make sense to look into doing thisin the future, but there are also reasons why that it would be a bad idea.

** No. Again, we know that users expect thatit, so it would be valuable to try to do better in that spaceand meet expectations.

** At a technical level, because of the extensive access that add-ons have to our internal APIs, and because they are non-not sandboxed, there is nothing that we can do. However, where appropriate, we have been trying to make it easier to use our APIs in a way that does the right thing by default, in order to address some of the issue. On the policy side, we have modified the [https://developer.mozilla.org/en-US/Add-ons/AMO/Policy/Reviews#Private_Browsing_Mode AMO add-on review guidelines] to require add-ons to adhere to our guidelines for supporting private browsing mode.

* Can Does my feature be exempted from adhering <i>have</i> to respect private browsing?** Probably notMost likely yes, but if you think you can make a case for against it, that needs to be discussed. Otherwise, it is appreciated if you consider private browsing when designing and implementing your features!