Opened 6 years ago

Closed 6 years ago

Last modified 6 years ago

#10352 closed defect (fixed)

Private Browsing Mode data not properly cleared by New Identity

Reported by: mikeperry Owned by:
Priority: Immediate Milestone:
Component: TorBrowserButton Version:
Severity: Keywords: tbb-testcase, ff24-esr, MikePerry201312
Cc: mcs, brade, gk Actual Points: 2
Parent ID: Points:
Reviewer: Sponsor:

Description

It looks like the Mozilla documentation we used in #9570 was incomplete. It turns out that much of the private browsing mode context is not cleared upon all windows being closed on New Identity if you are using the default configuration ('browser.privatebrowsing.autostart' set to true). It is also not cleared by our existing usage of the cookie and cache clearing APIs are also leaving data from Private Browsing Mode sessions in tact.

All of this data does get cleared if you are storing history (which is why I missed this so far :/)

It also appears that the Torbutton Cookie Protections window is also always empty if you are using the default configuration ('browser.privatebrowsing.autostart' set to true).

Good test pages for verifying this are:
http://samy.pl/evercookie/
http://www.stevesouders.com/blog/2012/09/10/clearing-browser-data/

Child Tickets

Change History (4)

comment:1 Changed 6 years ago by mikeperry

This appears to be fixable by emitting "last-pb-context-exited" during torbutton_do_identity(). Unfortunately, I experienced hangs during torbutton_send_ctrl_cmd() if this event is emitted prior to it. Emitting the event just prior to the OpenNewBrowserWindow() call seems to avoid hangs.

comment:2 Changed 6 years ago by mikeperry

Actual Points: 2
Keywords: MikePerry201312 added
Resolution: fixed
Status: newclosed

Ok, the good news is that on my system at least, repeated clicks on New Identity still are not sufficient to trigger the hang. Given the time pressure for getting a FF24 release out, I think that means this fix is acceptable.

comment:3 Changed 6 years ago by brade

From what Mark and I can tell, emitting "last-pb-context-exited" seems like a good solution.

We did notice one side effect: the system clipboard is cleared if data was copied to it while in private browsing mode (see http://mxr.mozilla.org/mozilla-esr24/source/widget/xpwidgets/nsClipboardPrivacyHandler.cpp#72 ). This is a Firefox feature and it makes sense but surprised us during our testing.

We also noticed when testing with the stevesouders.com site, that a "store data for offline use?" prompt is displayed but clicking "allow" does not dismiss the prompt (Error Console shows an error). We will open a new bug about this.

comment:4 in reply to:  3 Changed 6 years ago by mcs

Replying to brade:

We also noticed when testing with the stevesouders.com site, that a "store data for offline use?" prompt is displayed but clicking "allow" does not dismiss the prompt (Error Console shows an error). We will open a new bug about this.

That ticket is #10360.

Note: See TracTickets for help on using tickets.