Security/Contextual Identity Project/Private Session
enhancing private browsing to provide some elements of isolation between sites
Warning: This is just a draft proposal of how contextual identities might be implemented in Firefox
Contents
Description
This proposal includes some ideas we have for containers, but completely rely on the existing Private Browsing feature.
The basic idea:
- Every Private Window opens a new AppID. It becomes a Private Session.
- A link opened from inside a Private Window opens in the same AppID.
It will not require existing users of Private Window to change their existing behaviours, but it will give users who want multiple sessions the ability to open a new one easily.
There are going to be some UI changes, of course, but they’re going to be minimal. The visual change is this: every new session is visually distinct. It will have a different colour (from purple to orange, blue, green, etc.) and also a little number to further distinguish it from each other. Everything else remains exactly the same.
This visual change solves the invisible state problem:
…it's impossible to tell by looking at windows whether they share cookies or not. Users would have to keep a mental model of the interrelationship of every open incognito window, all of which would look the same, in order to predict what would happen in any of them.
Proposed Behaviour
In normal window/tab
- Clicking Open Link in New Tab or Open Link in New Window will open content using the current session
- Clicking File → New Private Session or right-clicking Open Link in New Private Session will open a fresh AppID
- Every new Private Session opened from a link originating in normal window/tab gets a fresh AppID, even if the link is the same
In private session window/tab
- Clicking on a link, or right-clicking Open Link in New Tab or Open Link in New Window will open the current AppID
- Clicking File → New Private Session will open a fresh AppID
- There is no way to open a fresh AppID by right-clicking a link. We could, perhaps, try a right-click option called Open Link in New Session, but this could be confusing
Possible timeline
Phase 1:
- Hide Private Session behind a pref.
- Pref. off by default except on Nightly and Aurora
- No user-facing interface. No colour coding.
- Blog about it on Hacks blog. Firefox is the only browser that does this. It’s going to help web developers and make it possible for users to sign into one site with multiple accounts.
- Measure and observe user behaviour. See how developers and early adopters use it.
Phase 2:
- Enable pref. for everybody
- Deploy user-facing component (colour/number coding – this solves the problem of invisible state)
- Tutorials on Private Session start page
- Tutorials on SUMO
- Measure and observe user behaviour
- How many sessions do a user typically open? How many tabs and windows per session?
- Do they use it to sign into the same site and keep it open for a long time?
Phase 3:
- Based on user research, decide whether it’s worth it to turn this feature into containers, or to stick with designing multiple profiles instead.
- Based on user research, design containers around use cases.
Related Work
- Security/Anonymous_Browsing has a list of use cases which require better isolation between sites.
- Google Chrome’s Issue 24690: All incognito windows share the same cookie jar
- List of Private Browsing consumers in gecko
- Bug 117222 - (sessionperwindow) Limit Scope of Session Cookies (new tabs and windows). The bug was filed in 2001, accumulating 101 duplicates and 107 votes, CCing 196 people.
- Safari’s per-tab Private Window: “Now, you can open an individual Private window, and each tab within a Privacy Mode active window will be it’s own unique private session.”
