[or-cvs] [torbutton/maint-1.2] Document Private Browsing Mode review.
mikeperry at seul.org
mikeperry at seul.org
Wed Dec 2 20:16:05 UTC 2009
Author: Mike Perry <mikeperry-git at fscked.org>
Date: Wed, 30 Sep 2009 21:37:24 -0700
Subject: Document Private Browsing Mode review.
Commit: 4d2006b944841006e9b0314c007717c19258241d
---
website/design/FF35_AUDIT | 76 ++++++++++++++++++++++++++++++++++++++++++---
1 files changed, 71 insertions(+), 5 deletions(-)
diff --git a/website/design/FF35_AUDIT b/website/design/FF35_AUDIT
index 2e249a6..3db462c 100644
--- a/website/design/FF35_AUDIT
+++ b/website/design/FF35_AUDIT
@@ -22,6 +22,7 @@ First pass: Quick Review of Firefox Features
- navigator.geolocation
- Governed by geo.enabled
- "2 week access token" is set
+ - geo.wifi.access_token.. Clearing is prob a good idea
- http://mxr.mozilla.org/mozilla1.9.1/source/dom/src/geolocation/NetworkGeolocationProvider.js
- https://developer.mozilla.org/En/Using_geolocation
- DNS prefetching after toggle
@@ -92,20 +93,85 @@ First pass: Quick Review of Firefox Features
Second Pass: Verification of all Torbutton Assumptions
- "Better privacy controls"
-- "Swap DocShell"
- - https://developer.mozilla.org/En/XUL/Method/SwapDocShells
+ - Basically UI stuff for prefs we set already
+ - address bar search disable option is interesting, but not
+ torbutton's job to toggle. Users will hate us.
- Private browsing
- https://developer.mozilla.org/En/Supporting_private_browsing_mode
+ - We should consider an option (off by default) to enable PBM during
+ toggle
+ - It is a good idea because it will let our users use DOM storage
+ safely and also may cause their plugins and other addons to be
+ safe
+ - Doing it always will cause the user to lose fine-grained control
+ of many settings
+ - Also we'll need to prevent them from leaving without toggling tor
+ - Stuff the emit does (grep for NS_PRIVATE_BROWSING_SWITCH_TOPIC and
+ "private-browsing")
+ - XXX: clear mozilla.org/security/sdr;1. We should too! Wtf is it??
+ - They also clear the console service..
+ - Recommend watching private-browsing-cancel-vote and blocking if
+ we are performing a db operation
+ - Maybe we want to block transitions during our toggle for safety
+ - XXX: They also clear general.open_location.last_url
+ - XXX: mozilla.org/permissionmanager
+ - XXX: mozilla.org/content-pref/service
+ - XXX: Sets browser.zoom.siteSpecific to false
+ - Interesting.. They clear their titles.. I wonder if some
+ window managers log titles.. But that level of surveillance is
+ unbeatable..
+ - XXX: Unless there is some way for flash or script to read titles?
+ - They empty the clipboard..
+ - Can js access the clipboard?? ...
+ - Yes, but needs special pref+confirmation box
+ - http://www.dynamic-tools.net/toolbox/copyToClipboard/
+ - They clear cache..
+ - Cookies:
+ - Use in-memory table that is different than their default
+ - This could fuck up our cookie storage options
+ - We could maybe prevent them from getting this
+ event by wrapping nsCookieService::Observe(). Lullz..
+ - NavHistory:
+ - XXX: nsNavHistory::AutoCompleteFeedback() doesn't track
+ awesomebar choices for feedback.. Is this done on disk?
+ - Don't add history entries
+ - We should block this observe event too if we can..
+ - The session store stops storing tabs
+ - We could block this observe
+ - XXX: They expunge private temporary files on exit from PMB
+ - This is not done normally until browser exit or
+ "on-profile-change"
+ - emits browser:purge-domain-data.. Mostly just for session
+ editing it appears
+ - Direct component query for pbs.privateBrowsingEnabled
+ - This is where we have no ability to provide certain option
+ control
+ - browser.js seems to prevent user from allowing blocked
+ popups?
+ - Some items in some places context menu get blocked:
+ - Can't delete items from history? placesContext_deleteHost
+ - nsCookiePermission::InPrivateBrowsing() calls direct
+ - but is irellevant
+ - Form history cannot be saved while in PBM.. :(
+ - User won't be prompted for adding login passwords..
+ - Can't remember prefs on content types
+ - Many components read this value upon init:
+ - This fucks up our observer game if tor starts enabled
+ - NavHistory and cookie and dl manager
+ - We could just wrap the bool on startup and lie
+ and emit later... :/
+ - Or! emit an exit and an enter always at startup if tor is
+ enabled.
- Read iSec report
- Compare to Chrome
- API use cases
-- https://developer.mozilla.org/En/Security_changes_in_Firefox_3.5
-- SSL Toggle
+- SSL Toggle to clear session id
- Unto tabs Toggle
-- SafeBrowsing Update Key
+- SafeBrowsing Update Key removed on cookie clear still?
- Places
- SessionStore
- Has been reworked with observers and write methods. Should use those.
+- check if nsICertStore is still buggy...
Third Pass: Exploit Auditing
- Remote fonts
--
1.5.6.5
More information about the tor-commits
mailing list