• Ensure that users can't be tracked when doing "private" things. There should be a clear line drawn between your "public" and "private" browsing sessions. It is acceptable to let things touch magnetic storage, as long as the cleanup mechanism is robust enough to clean up.

• It is also acceptable to retain data that users explicitly save (per-site permissions via prefs, bookmarks, etc)

• Non-goal for 3.1: Separate process sharing (some) data. When we get process-per-tab we can make it more IE-like, but doing this also means that we have to have something like their "hey, you're in private browsing mode" banner on the URL bar for all the world to see. Which, to me, is fail.

Cookies

• On entry:
  • Write cookies to disk, drop the in-memory hashtable.
• During:
  • All cookies are only stored in memory.
• Exit:
  • Drop the hashtable, reload from disk.

History

• On entry:
  • Record timestamp of the last visit recorded.
• During:
  • IsVisited always returns false (no link coloring spying)
  • AddVisit silently fails.
• Exit:
  • Ensure any visits recorded after the timestamp are purged (shouldn't be needed, but might be useful as a sanity check).

• Will not prevent users from explicitly adding exceptions via Prefs or Page Info

• Do not prompt to save passwords.
• Passwords will not autofill, but will be available for autocomplete.

• Autocomplete will be available, but will not remember data entered. DOMStorage will not allow reading or writing of data (need JST/Enn feeedback on how to do this cleanly)
• All authenticated sessions will be logged out entering and leaving private mode.
• Downloads will be removed from dlmgr on completion.

• Save session and close all browser windows, and restore after exiting private mode? Seems reasonable enough, especially if we can add the session store override to save SSL form data as a one-off...