<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">These two ideas are semi-related. The big difference IMO isn’t the implementation, it’s the intended audience. Site-driven cache clearing is for the benefit of devs/site owners, and possibly invisible to users. PBM auto-upgrade is a user-facing feature sites implement to gain trust in sensitive areas. Because it’s a user feature, we could test it, without building a lot, to see if users perceive value when a new window opens with a notification that might say: <div class=""><br class=""></div><div class="">“<b class=""><a href="http://Example.com" class="">Example.com</a> </b>required that Firefox open in a new Private Window to protect your privacy. You also may want to clear your recent browsing history [CLEAR HISTORY]"<div class=""><br class=""></div><div class="">We’d also have to assess how widespread the use case is. I also suspect that if this existed, developers would misuse it and force upgrade to PBM because it’s a known/faster/easier hack than implementing selective cache-clearing or site permissioning. Corporate Intranets force all kind of things on their employees (i.e. Okta doesn’t respect saved PWs).</div><div class=""><br class=""><div class=""><div class=""><div class=""><div class=""><br class=""><div id="96d91169-3536-4824-ae26-5bf23d9b77ad" class=""><span name="x" class=""></span>Javaun Moradi | <a href="mailto:jmoradi@mozilla.com" class="">jmoradi@mozilla.com</a> | IRC: javaun | @javaun<br class=""><span name="x" class=""></span></div></div>
</div>
<br class=""><div><blockquote type="cite" class=""><div class="">On Sep 8, 2015, at 9:41 AM, Eric Rescorla <<a href="mailto:ekr@rtfm.com" class="">ekr@rtfm.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div dir="ltr" class=""><div class="gmail_extra">On Mon, Sep 7, 2015 at 9:28 PM, Bram Pitoyo <span dir="ltr" class=""><<a href="mailto:bram@mozilla.com" target="_blank" class="">bram@mozilla.com</a>></span> wrote:<br class=""></div><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr" class=""><div class=""><div class=""><div class="">Hi Eric,<br class=""><br class=""></div>One interesting thing about this proposal is that it’s useful for sites that offer anti-abuse services (often, they’re domestic abuses). They have no need to track user’s activities, and therefore would have no interest in Tracking Protection. They just want to make sure that visitors, potential victims of abuse, can open the site and feel secure that their abusers won’t be able to track their activity.<br class=""><br class=""></div>You can find the original suggestion here:<br class=""><a href="https://lists.w3.org/Archives/Public/public-privacy/2015JulSep/0087.html" target="_blank" class="">https://lists.w3.org/Archives/Public/public-privacy/2015JulSep/0087.html</a><br class=""><br class=""></div>And the relevant quote below:</div></blockquote><div class=""><br class=""></div><div class="">Sure, that seems like one valid use case. I'm trying to figure out how widely</div><div class="">used a feature like this would really be. Note that this is a different use case</div><div class="">from the one Gerv proposes in that the *history* needs to be deleted, not</div><div class="">just locally stored site information.</div><div class=""><br class=""></div><div class="">-Ekr</div><div class=""><br class=""></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr" class=""><span style="font-family:arial,helvetica,sans-serif" class=""><br class=""></span><blockquote style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex" class="gmail_quote"><pre class=""><span style="font-family:arial,helvetica,sans-serif" class="">One example is <a href="http://www.kidshelpphone.ca/" target="_blank" class="">http://www.kidshelpphone.ca/</a> they provide anonymous phone
line for kids that may have issue or problem in their family. This lead to
a sensitive problem, a kid visiting this site need to know how to clean
browsing history since a adult seeing the browsing history might challenge
the kids about the visit and lead to more stress or bigger problems. They
did explain on the site header how to flush history and train visitor about
the anonymous tab, this isn't perfect at all, because it really entirely on
the user actions and the assumption that he read and understood the
section.<br class=""><br class="">[…]<br class=""><br class="">Of course I'm quite sure, site with adult content would also be like such
features but this is not really the issue I'm trying to resolve at this
point.</span><br class=""></pre></blockquote><div class=""> </div></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br class=""><div class="gmail_quote">On Tue, Sep 8, 2015 at 3:07 PM, Eric Rescorla <span dir="ltr" class=""><<a href="mailto:ekr@rtfm.com" target="_blank" class="">ekr@rtfm.com</a>></span> wrote:<br class=""><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr" class=""><br class=""><div class="gmail_extra"><br class=""><div class="gmail_quote"><span class="">On Mon, Sep 7, 2015 at 7:17 PM, Javaun Moradi <span dir="ltr" class=""><<a href="mailto:jmoradi@mozilla.com" target="_blank" class="">jmoradi@mozilla.com</a>></span> wrote:<br class=""><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">It’s a really compelling idea that Bram and Francois thought up. Low-risk, low-effort, and a potentially big upside.<br class="">
<br class="">
Right now, users have to be aware that PBM even exists and then remember to turn it on in certain situations. Turning it on automatically removes that cognitive barrier, grows the number of users protected by PBM, and educates them on the feature and on situations where they may want more privacy. All of those are good things for users, and since we’re making a big bet that we’ll have the best PBM of any mainstream browser, growing the market appetite for private mode would be really good for Firefox.<br class=""></blockquote><div class=""><br class=""></div></span><div class="">I'm not convinced about the connection to private browsing mode.</div><div class="">It might well be true that sites would be interested in clearing their</div><div class="">state when the user logs out (though it's worth noting that in fact</div><div class="">many sites retain state across logins and use it to present a</div><div class="">partially individualized user experience even though they would</div><div class="">require you to log in in order to access any really sensitive data.</div><div class=""><br class=""></div><div class="">However, PBM is something different and many of the applications</div><div class="">for PBM actually have you in a position adversarial to the site. For</div><div class="">instance:</div><div class=""><br class=""></div><div class="">- Using PBM to bypass limits on the number of free articles you can</div><div class="">read.</div><div class="">- Hiding your history from sites</div><div class=""> (cf. <a href="http://cseweb.ucsd.edu/~hovav/papers/jjls10.html" target="_blank" class="">http://cseweb.ucsd.edu/~hovav/papers/jjls10.html</a>)</div><div class="">- Tracking protection</div><div class=""><br class=""></div><div class="">I think it's an open question whether enough sites would want to</div><div class="">actually exercise this capability to create a material improvement in</div><div class="">user privacy.</div><div class=""><br class=""></div><div class="">-Ekr</div><div class=""><div class=""><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><br class=""></div><div class=""><br class=""></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
There are some potential UX challenges like those you mentioned Mike — do users understand why a PB window just opened? But it’s worth doing some exploration to see how users feel about it.<br class="">
<span class=""><font color="#888888" class=""><br class="">
Javaun Moradi | <a href="mailto:jmoradi@mozilla.com" target="_blank" class="">jmoradi@mozilla.com</a> | IRC: javaun | @javaun<br class="">
</font></span><div class=""><div class=""><br class="">
> On Sep 7, 2015, at 7:47 PM, Mike Hommey <<a href="mailto:mh@glandium.org" target="_blank" class="">mh@glandium.org</a>> wrote:<br class="">
><br class="">
> On Tue, Sep 08, 2015 at 11:19:39AM +1200, Bram Pitoyo wrote:<br class="">
>> Hi Gerv,<br class="">
>><br class="">
>> Some of us at the Privacy and Security team has been thinking of the same<br class="">
>> thing!<br class="">
>><br class="">
>> Instead of a per-site caching rule, we’d like to have it so that a site can<br class="">
>> say to any browser: “Please always open me in Private Browsing”, and the<br class="">
>> browser would respect that.<br class="">
>><br class="">
>> The end result is the same: confidential information is never recorded in<br class="">
>> the cache.<br class="">
>><br class="">
>> The user flow and interface can be seen here (graciously written by<br class="">
>> Francois):<br class="">
>> <a href="https://wiki.mozilla.org/Security/Automatic_Private_Browsing_Upgrades" rel="noreferrer" target="_blank" class="">https://wiki.mozilla.org/Security/Automatic_Private_Browsing_Upgrades</a><br class="">
><br class="">
> While that seems interesting, I'll point out that my gut reaction was<br class="">
> "oh great, a new way for abusers to open popups".<br class="">
><br class="">
> Another gut feeling is that users are now accustomed to links never<br class="">
> opening new windows, and that would be a step back. I, personally, would<br class="">
> hate this feature because of that.<br class="">
><br class="">
> Mike<br class="">
> _______________________________________________<br class="">
> firefox-dev mailing list<br class="">
> <a href="mailto:firefox-dev@mozilla.org" target="_blank" class="">firefox-dev@mozilla.org</a><br class="">
> <a href="https://mail.mozilla.org/listinfo/firefox-dev" rel="noreferrer" target="_blank" class="">https://mail.mozilla.org/listinfo/firefox-dev</a><br class="">
<br class="">
_______________________________________________<br class="">
firefox-dev mailing list<br class="">
<a href="mailto:firefox-dev@mozilla.org" target="_blank" class="">firefox-dev@mozilla.org</a><br class="">
<a href="https://mail.mozilla.org/listinfo/firefox-dev" rel="noreferrer" target="_blank" class="">https://mail.mozilla.org/listinfo/firefox-dev</a><br class="">
</div></div></blockquote></div></div></div><br class=""></div></div>
</blockquote></div><br class=""></div>
</div></div></blockquote></div><br class=""></div></div>
</div></blockquote></div><br class=""></div></div></div></div></body></html>