On 2014-05-20, 2:25 PM, Jonas Sicking wrote:
On Fri, May 16, 2014 at 7:45 AM, Justin Dolske <dol...@mozilla.com> wrote:
On 5/16/14, 6:38 AM, Curtis Koenig wrote:
Would this be disabled in Private Browsing? If not that might be
perceived as negating one of the reasons users have for using that
particular feature.
Private Browsing mode is about not storing _local_ data from your
activities. It is explicitly not an "anti tracking" mode because that's
extremely difficult-to-impossible to do robustly just on the client, and
would be a misleading claim and/or result in a browser most people would
think is broken. E.G. as already noted in this thread, sites can already do
this without <a ping>.
I don't agree with this. If it was just about not storing _local_ data
then we wouldn't create a separate (throw-away) cookie jar for
private-browsing windows. We would just avoid writing new cookie data
while in private browsing.
The reason we do that is to make it harder for websites to detect
whether the user is browsing the same website from both private and
non-private mode. Actually the core technical reason why we did this
was that we wanted to prevent cookies from being persisted to disk for
obvious reasons, but we also did not want to break the web by preventing
websites to set cookies, so this was basically the simplest
implementation strategy too.
But I believe that that would be a pretty crappy private browsing
feature which I don't think anyone here would argue for.
Private browsing is mainly about giving you a new, throw-away,
identity. The throw-away part is why we don't allow storing data. The
reason we have a separate cookie jar is in order to implement the
"new" part.
That was actually an unintended use case which was enabled as a
side-effect of the cookie jar separation. We never really designed PB
for this.
However I agree that keeping <a ping> enabled in private browsing
doesn't affect your ability to have that new, throw-away, identity.
However we do implement some additional features in private browsing
mode. For example we disable link coloring. I'm not sure what the
exact goal of that is. I always guessed that it is to enable you to be
extra private about your identity while in private browsing. So that
might provide an argument for disabling <a ping> in private browsing.
The goal of disabling link coloring was IIRC to disable websites from
being able to run attacks against your browsing history to be able to
correlate your browsing sessions like I said above. A smaller reason
was that because we don't store history items from private navigations,
the link coloring might "not work" in surprising ways to the user. This
was before dbaron's general fix for that issue, I don't actually think
we need to keep doing that any more, but nobody has complained about
that yet. :-)
Ehsan
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform
