Blog Archives

Blog entries related to the Private Browsing feature in Firefox

Per-window private browsing ready for testing now!

One of the most often requested features in the private browsing support for Firefox has been the ability to open a private window without needing to close the entire session. Over the past 19 months, we have been working on

Posted in Blog Tagged with: , , ,

Help build a tool for checking Private Browsing compatility in extensions

As I wrote before, there are plans in motion to require Private Browsing mode compatibility in Firefox extensions.  In order to make the lives of our reviewers easier, we need a tool to help them review extensions for Private Browsing compatibility.

I’ve laid out the specifics of such a tool in a wiki page.  The plan is detailed, with a lot of links to documentation which would help you do the specific tasks needed for building this tool.  If you’ve ever wanted to get started building an extension, or were waiting for an exciting extension idea which would help Mozilla folks do their job better, this is a very good opportunity.

I’ll be available to help you through the details of building this tool.  Don’t hesitate, jump in!

Posted in Blog Tagged with: , ,

Private Browsing support in Firefox extensions

Firefox 3.5 included the Private Browsing feature for the first time.  As I’ve already written about it, Private Browsing is a mode in which Firefox does not record any data which can reveal the sites and pages that users have visited.  So, whenever you want to browse without leaving a trace on your computer, you put Firefox into the Private Browsing mode, and rely on Firefox to keep its promise and not record any revealing information about your browsing activities.  Now, with extensions introduced into the picture, things are a little bit more complex.

In general, there is no way for Firefox to be able to automatically detect whether extensions are honoring the Private Browsing mode or not.  The same is true in almost every other functionality provided by the browser.  That is why we’ve been using human inspection in reviewing the extensions submitted to AMO, to make sure that extensions do not impair the functionality provided by the browser.

After a lengthy discussion with the AMO editors, we have decided to modify the AMO add-on submission policy to reflect that extensions should honor the Private Browsing mode in order to be listed publicly on AMO.  While most extensions will not need any modifications for supporting Private Browsing (because they don’t record any data revealing users’ browsing activities), there are some which require some changes, and we appreciate the fact that the change cannot happen overnight.  Therefore, we’ve tentatively decided to give a two-month grace period to add-on authors before we actively start to reject extensions incompatible with the Private Browsing mode.

This means that during this grace period, if a reviewer comes across an extension which complies with the submission policy in every respect except for Private Browsing support, one of the following will happen depending on the status of the add-on:

  • For add-ons nominated to become public for the first time, the add-on will be rejected.
  • For updates to existing public add-ons, the update will be approved with the additional note to the author stating the incompatibility of the add-on with Private Browsing, and that it must be fixed in the next version of the add-on.

Please note that while the decision is not yet final, it’s been discussed extensively and is likely to be put into effect soon.

Now, let’s take a moment to talk about what it means for an extension to support the Private Browsing mode.  Basically, extensions need to ensure that no sensitive data is recorded inside the Private Browsing mode.  You would of course get a different answer depending on who you ask about what sensitive data are, but we’re tried to keep a well-defined scope for this term in Firefox.  Basically, we consider data which fits into one of these five categories as sensitive, and refrain from saving such data to disk inside the Private Browsing mode.

  1. The data which includes things like the URL of pages that the user has visited.  Example of such data inside the Firefox includes browsing history, and download history.  Note that in this case, we usually remember the things that the user explicitly asks us to save (like bookmarks), but try to eliminate the visited-ness traces if possible (e.g., we save bookmarks as unvisited bookmarks, which can also be created by adding a bookmark from the Library window and entering a URL manually.)
  2. The domains of websites which the user has visited.  Example of such data inside Firefox includes the content preferences service, which stores preferences (such as the zoom level) for an Internet domain.  We usually refuse to remember such settings inside the Private Browsing mode.
  3. The content of the web pages that the user has visited.  Example of such data inside Firefox includes the network cache.  We usually try not to write the content to disk inside the Private Browsing mode, and in the case of cache, we still keep the in-memory cache around for the duration of the Private Browsing mode.
  4. Other data related to web pages that the user has visited.  Examples of such data inside Firefox includes the cookies, which we only store in memory inside the Private Browsing mode.
  5. Other data which is used to customize the Firefox UI based on what happens inside the Private Browsing mode.  Examples of such data inside Firefox includes the path of the last download directory, which is used to initialize the file picker to that directory for future downloads.  We usually refuse to store this data inside the Private Browsing mode, although we retain the data in memory for the duration of the Private Browsing mode in order to provide a seamless UI functionality to users.

The AMO reviewers will be reviewing each submitted add-on based on the criterion of whether it persists any data belonging to the above categories on disk.  Although after reading the list, supporting Private Browsing mode in an extension might seem overwhelming, it actually isn’t that hard!  Basically, if an extension is using one of the APIs provided by Firefox or Gecko, it’s already safe, because we’ve been careful to make sure that our APIs handle the Private Browsing mode in a graceful manner.  There are several resources for add-on authors who need to know more details about how to support Private Browsing mode in their extensions.  Make sure to keep these resources in mind, and use them:

Happy hacking!

Posted in Blog Tagged with: , ,

First Private Browsing extension

I did expect the community to get interested in extending the Private Browsing mode by developing extensions, but I didn’t expect it to happen this soon!  I’m happy to announce that the first Private Browsing extension has been developed by the community member Kurt Schultz! This extension adds a toolbar and a status bar button to Firefox for quick access to the Private Browsing feature, and lets you toggle a few of the underlying preferences as a bonus!  Grab it while it’s hot from AMO!

Here’s a screenshot provided by Kurt:

Toggle Private Browsing extension in action

Thanks for the great work, Kurt!

Posted in Blog Tagged with: , , ,

Prepare your add-on for Private Browsing

Private Browsing is one of the new features of Firefox which extension developers should start to handle in their extensions.  The API for this new mode is quite straightforward, and easy to use.  In addition, theme developers may want to style Firefox differently inside the Private Browsing mode.  That is also insanely easy to do.  In this article, I’m going to give you an overview of how the API works, plus with some sample code.  Note that what I’m explaining here is based the latest features landed on Mozilla trunk, and I don’t expect any of them to break before the final release of Firefox 3.1, but we may land extra API support if add-on developers demand it, so make sure to leave your comments.

Notice: This post is targeted at Mozilla extension developers and theme designers.  See my previous post for a general overview of the Private Browsing mode.

Private Browsing mode for extension developers

First, a bit of background is in order.  Many extensions may store data which can be used to reveal the places that the user has visited.  Examples include a download manager/helper extension, an extension which manipulates Places information, an extension which stores or otherwise manipulates cookies, etc.  You may be wondering what it takes to ensure that your extension respects the user’s choice about the private mode.  The most important thing to note here is that the Private Browsing mode does not magically handle what your extension does in saving browsing history data; that is the job of each extension.

At the heart of our Private Browsing implementation lies the Private Browsing service.  This service, which can be accessed using the contract ID @mozilla.org/privatebrowsing;1, implements the nsIPrivateBrowsingService interface.  Here is the definition of this interface:

[scriptable, uuid(49d6f133-80c0-48c7-876d-0b70bbfd0289)]
interface nsIPrivateBrowsingService : nsISupports
{
    // When read, determines whether the private browsing mode is currently
    // active.  Setting to true enters the private browsing mode, and setting
    // to false leaves the private browsing mode.
    // Setting this value while handling one of the notifications generated
    // by the private browsing service throws NS_ERROR_FAILURE.
    attribute boolean privateBrowsingEnabled;

    // Determine whether the private browsing mode has been started
    // automatically at application startup.
    // This value will never be true if privateBrowsingEnabled is false.
    readonly attribute boolean autoStarted;
};

The privateBrowsingEnabled attribute is the most important one.  To get the current status of the Private Browsing service, it’s enough to get the value of this attribute.  To switch to the Private Browsing mode, this attribute should be set to true, and to exit this mode, it should be set to false.  The autoStarted attribute can be queried to determine whether the browser.privatebrowsing.autostart preference has triggered the private mode automatically at startup.

There are a number of notifications which the Private Browsing service sends out in order to notify extensions about the Private Browsing related events that happen at runtime.  When the Private Browsing mode is about to initiate, the service sends out the private-browsing-cancel-vote notification in order to ask all the observers if they are all OK with entering the private browsing mode.  The data parameter if this notification will be set to enter.  The subject parameter of this notification will be set to a nsISupportsPRBool object.  Extensions are supposed to set this object to true if they wish to prevent the browser from entering the Private Browsing mode (for example, if the extension is downloading a file which can’t be interrupted).  If none of the observers vote to cancel the mode transition, the Private Browsing mode will be activated.  This sends a private-browsing notification with the data parameter set to enter.

The reverse case happens when the Private Browsing service is requested to leave the private mode.  First, a private-browsing-cancel-vote notification is sent to check if all modules can handle the private mode switch.  The data parameter will be set to exit this time.  If no extension sets the subject parameter to true, then the private mode will be turned off, and a private-browsing notification will be sent with the data parameter set to exit.  One extra point to mention here is that the subject parameter of the private-browsing notification will be a nsISupportsPRBool which determines whether the mode is being terminated normally, or because of an application shutdown (true standing for the case of an application shutdown).

A few code samples will be useful here, to demonstrate the API.

Sample 1: check the status of the Private Browsing mode

This sample shows the most basic usage of the Private Browsing service: querying the current status of Private Browsing.

var pbs = Components.classes["@mozilla.org/privatebrowsing;1"]
                    .getService(Components.interfaces.nsIPrivateBrowsingService);

// are we currently in the Private Browsing mode?
var inPrivateBrowsingMode = pbs.privateBrowsingEnabled;

Sample 2: listen for Private Browsing notifications

This sample first defines a helper object to make the process of listening for Private Browsing mode changes easier, and then shows a small sample of how this can be used.

// Helper object to register listeners for Private Browsing mode changes
function PrivateBrowsingListener() {
  this.init();
}
PrivateBrowsingListener.prototype = {
  _os: null,
  _inPrivateBrowsing: false, // whether we are in private browsing mode
  _watcher: null, // the watcher object

  init : function () {
    this._inited = true;
    this._os = Components.classes["@mozilla.org/observer-service;1"]
                         .getService(Components.interfaces.nsIObserverService);
    this._os.addObserver(this, "private-browsing", false);
    this._os.addObserver(this, "quit-application", false);
    try {
      var pbs = Components.classes["@mozilla.org/privatebrowsing;1"]
                          .getService(Components.interfaces.nsIPrivateBrowsingService);
      this._inPrivateBrowsing = pbs.privateBrowsingEnabled;
    } catch(ex) {
      // ignore exceptions in older versions of Firefox
    }
  },

  observe : function (aSubject, aTopic, aData) {
    if (aTopic == "private-browsing") {
      if (aData == "enter") {
        this._inPrivateBrowsing = true;
        if (this.watcher &&
            "onEnterPrivateBrowsing" in this._watcher) {
          this.watcher.onEnterPrivateBrowsing();
        }
      } else if (aData == "exit") {
        this._inPrivateBrowsing = false;
        if (this.watcher &&
            "onExitPrivateBrowsing" in this._watcher) {
          this.watcher.onExitPrivateBrowsing();
        }
      }
    } else if (aTopic == "quit-application") {
      this._os.removeObserver(this, "quit-application");
      this._os.removeObserver(this, "private-browsing");
    }
  },

  get inPrivateBrowsing() {
    return this._inPrivateBrowsing;
  },

  get watcher() {
    return this._watcher;
  },

  set watcher(val) {
    this._watcher = val;
  }
};

// Here's how to use this helper

var listener = new PrivateBrowsingListener();

if (listener.inPrivateBrowsing) {
  // we are in the private mode!
} else {
  // we are not in the private mode!
}

listener.watcher = {
  onEnterPrivateBrowsing : function() {
    // we have just entered the private browsing mode!
  },

  onExitPrivateBrowsing : function() {
    // we have just left the private browsing mode!
  }
};

Please note that the onEnterPrivateBrowsing and onExitPrivateBrowsing functions are optional, and you can avoid declaring one if you don’t need it.  Also, note that the PrivateBrowsingListener object is safe to use in previous version of Firefox which did not have the Private Browsing service available.

Sample 3: turn Private Browsing on or off

This sample shows how extensions can switch to and from the Private Browsing mode.

var pbs = Components.classes["@mozilla.org/browser/privatebrowsing;1"]
                    .getService(Components.interfaces.nsIPrivateBrowsingService);

// enter the Private Browsing mode
pbs.privateBrowsingEnabled = true;

// now, whatever we do remains private!

// exit the Private Browsing mode
pbs.privateBrowsingEnabled = false;

Sample 4: prevent leaving the Private Browsing mode

This sample shows how an extension can prevent the browser from turning the Private Browsing mode off.

var os = Components.classes["@mozilla.org/observer-service;1"]
                   .getService(Components.interfaces.nsIObserverService);
os.addObserver(function (aSubject, aTopic, aData) {
    aSubject.QueryInterface(Components.interfaces.nsISupportsPRBool);
    // if another extension has not already canceled entering the private mode
    if (!aSubject.data) {
      if (aData == "exit") { // if we are leaving the private mode
        aSubject.data = true; // cancel the operation
      }
    }
  }, "private-browsing-cancel-vote", false);

Private Browsing mode for theme designers

Our goal here was to enable a CSS-only mechanism to allow theme designers to style the browser both outside and inside of the Private Browsing mode.  I simply added the browsingmode attribute to the window element in browser.xul.  The value of this attribute is normal when the user is outside the Private Browsing mode, and it’s switched to private when the user turns the Private Browsing mode on.  This allows having CSS rules to select any element inside the browser’s window inside the private browsing mode specifically, and styling them to your heart’s content.  For example, suppose that you would like the location bar to appear with a gray background while we’re inside the Private Browsing mode.  This can simply be done like below:

[browsingmode=private] #urlbar {
  background: #eee;
}

We have tried to keep everything as simple as we could, so if you feel there’s something which can be improved in the API, or need to ask a question, please do not hesitate to leave a comment here.  You’re feedback is appreciated.  Yes, really!

Update:  Modified Sample 2 to work in previous versions of Firefox.

Posted in Blog Tagged with: , , ,

Don’t leave a trace: Private Browsing in Firefox

Today, a major feature was added to the pre-release versions of Firefox 3.1, called Private Browsing.  I’ve been working for quite some time on this, so I thought it may be a good time to write about what this feature is and how to use it.

As you may know, while you browse the web, your browser usually records a lot of data which will later be used to improve your browsing experience.  For example, it records a history of all the web pages you have visited, so that later if you need help remembering a site you visited a while back, it can assist you in finding that site.  Now, that is great, but there is a downside: those data can be used to trace your online activities.  For example, if your coworker sits at your computer, she can view all of your browsing history, which may not be what you want.

Suppose you’re doing something online, and you don’t want your coworkers know about it.  An example scenario would be looking for a new employer while at work!  One option would be to do your work, and then clear the data that Firefox has stored for you, such as history, cookies, cache, ….  But the problem is that this action will also remove the parts of your online activities data which you don’t want to hide, so the history that Firefox records can no longer be used to find a web site you had visited a month before.  Private Browsing will help you here.

Private Browsing aims to help you make sure that your web browsing activities don’t leave any trace on your own computer.  It is very important to note that Private Browsing is not a tool to keep you anonymous from websites or your ISP, or for example protect you from all kinds of spyware applications which use sophisticated techniques to intercept your online traffic.  Private Browsing is only about making sure that Firefox doesn’t store any data which can be used to trace your online activities, no more, no less.

So how does one actually use this feature?  It couldn’t be simpler!  To start, just select Private Browsing from the Tools menu.

To start, just select Private Browsing from the Tools menu.

You will see a dialog box which asks you whether you want to save and close all of your current windows and tabs, and start the Private Browsing mode.  Click Start Private Browsing to start your private session.

Click Start Private Browsing to start your private session.

After you do this, your non-private browsing session is closed and a new private session is opened, showing you the screen below.  (Before you mention, the ugly icon you see there is something I created as a placeholder!  This icon will be replaced in the final release of Firefox 3.1.)

Start of the Private Browsing mode

As you see, not much is different in the Firefox window inside the Private Browsing mode, except for the (Private Browsing) text added to the title bar at the top of the window.  That is intentional: after all, if you’re doing something online that you don’t want your coworkers to know about, you don’t want to raise their attention with a big sign saying PRIVATE as they pass by and glance over your shoulder. 

At this stage, you can start browsing web sites, without ever having to worry that Firefox might store something on your computer which can be used to tell which pages you have visited.  Once you’re done, just uncheck the same menu item in the Tools menu to close your private session.

Once you're done, just uncheck the same menu item in the Tools menu to close your private session.

 This action discards all of the data from your private session, and will restore your non-private browsing session, just like it was before entering the Private Browsing mode.

This action will restore your non-private browsing session, just like it was before entering the Private Browsing mode.

Now, as I mentioned at the top of this post, this feature is available in pre-release versions of Firefox 3.1 (what we geeks call nightly builds).  This feature will be included in Firefox 3.1 Beta 2 which will be released soon, so if you want to try it, you can give it a shot then.  And of course, it will appear in the final release of Firefox 3.1, so if you’re not the type who test beta software, you can wait until Firefox 3.1 is released.

Update:  As many people seem interested in knowing this, there is a way to make Firefox always start in Private Browsing mode.  Go to the about:config page, click I’ll be careful, I promise, type browser.privatebrowsing.autostart in the Filter text box, double click the entry to make its value true.  After doing this, the next time you start Firefox, it will start in private browsing mode automatically.  To turn this off, use the same steps to change the value of this preference to false.  There is a plan to provide an easier method to set this option in the final release of Firefox 3.1.

Posted in Blog Tagged with: , , ,

First bits of the Private Browsing patch landed

I’m pleased to announce that the first pieces of the Private Browsing feature have just landed on Firefox trunk!  This might not be something to get too excited about, since all of the landed code remains disabled for now, but it’s a big breakthrough for me, considering the fact that I’ve been playing with this code since January!  Some of you may even remember that this feature was cut off Firefox 3 because of the fact that it was too big to take at that stage of Firefox 3 development, it will be included in the final release of Firefox 3.1.

Based on my latest chat with Marcia on IRC, the current plan is to finish the work on the code for private browsing, and land all of the remaining pieces by the end of October 26.  After that, during the week of October 27, we are going to have a test week for the community to start testing the Private Browsing mode to make sure that it will be rock solid in the final release.  Of couse, every piece of this patch has automated unit tests (on which Aaron has been helping me) to make sure that the feature at least works according to the functional specification, but a feature of this size still needs lots of human testing as well.  Stay tuned for more updates on the schedule.

A little bit more of technical details follows.  The pieces landed at this stage include the nsIPrivateBrowsingService, and the private browsing implementation and unit tests for the Places, Cookies, Content Preferences, and Form History modules.  These include all of the code necessary to implement Private Browsing handling in those modules, but because the implementation has been designed to ignore the absence of the Private Browsing service if it’s not available (like the case of these pieces of shared code using in other applications than Firefox), nothing will change in the functionality of these modules.  Those who want to test the Private Browsing mode should still run try server builds that I post to the Private Browsing bug.

For the details of what was checked in, check out the links below (pun intended):

Posted in Blog Tagged with: , , ,

Private Browsing progress

My work on the Private Browsing patch is soon going to enter a new stage.  Four of the modules that the patch is touching already have unit tests.  The only part of the patch which is not correctly implemented yet according to the recent changes in the functional spec is the download manager module, which needed a back-end change to support in-memory databases.  I’ve implemented that in another bug I filed to track it, and my patch there is waiting for review.

In a recent discussion with mconnor, we decided that it would be best to split up the patch according to the boundaries of the modules that it’s touching, and ask for review on each part separately.  I’m going to do this today.  There are four modules which already have unit tests and are ready for review:

  • Cookies
  • Content Preferences
  • Passwords Manager
  • Authenticated Sessions

The Places module is also nearly ready for review, thanks to Aaron Train, a Seneca college student who has volunteered to write some unit tests for Private Browsing.

The nifty thing is that once I get the necessary reviews for each module, it would be possible to land it, because the unit tests are designed such that they would pass if the Private Browsing service is not available.  I would still continue to publish monolithic patches in the Private Browsing bug, to make the lives of those who want to try out the full patch easier, so to reduce the amount of confusion, I’m going to mark the "for review" patches by naming them with this pattern: "[for review] module vn", where module is the name of the module and n is the revision of the module specific patch, initially set to 1 and incremented if a reviewer requires changes to the implementation of that module.

Stay tuned for future updates on the Private Browsing progress.  Like always, feedback in form of comments on this blog, bug 248970, or email/IRC notes are welcome.

Posted in Blog Tagged with: , , ,

Private Browsing builds ready

Followup from my previous post, I prepared Windows and Linux builds for my Private Browsing patch.  You can download these builds and try them out.  Feedback is much appreciated!

Download Windows Build (11MB)
Download Linux Build (21MB)

Also, try server builds are now available for all three platforms (Windows, Linux, and Mac OS X) here.

Posted in Blog Tagged with: , , ,

Private Browsing for Firefox upcoming

With the feedback from Alex Faaborg on the status of Private Browsing in Firefox, and urged by the Incognito browsing mode in Chrome and Internet Explorer’s InPrivate Browsing (and of course, Safari’s Private Browsing mode), it seems that there’s a chance to have this in Firefox 3.1.  In case you don’t already know, I had written a patch which added support for the Private Browsing mode a while back, but it never saw the light of the day.  Now, I have a new patch which implements the new requirements nearly completely (the only part missing from it is disabling DOM Storage in private mode.

What happens when you run Firefox with this patch is, when you enter the private mode via the Private Browsing menu entry under the Tools menu, all of your logged sessions get invalidated, your whole cookie list is cleared, and the site permission controls in Page Info windows get disabled.  When you’re working in the private mode, no record of your browsing history is ever saved, all cookies are treated as session cookies, Firefox will not auto-fill the password forms for websites with saved passwords, and will not prompt you for saving the password on websites where you enter your password for the first time, and also will not save auto-complete entries for what you enter in the web forms or keep your downloaded files in the list of your downloads.  This will make it very difficult for anyone using your PC to tell which websites you have visited during the private browsing session (although the owners of the websites will be able to track your browsing just like in the usual browsing mode).  When you exit the Private Browsing mode, all browser services return to their normal operation, just like the moment you entered the private browsing mode.

At this point, we are looking for people willing to test this patch.  For now, you should apply this patch on Firefox trunk and build it yourself, but hopefully we’ll get builds for Windows, Mac OS X and Linux ready shortly so that people can test this new mode more easily.  Feedback in form of comments on this post as well as the Private Browsing bug is much appreciated.

Posted in Blog Tagged with: , , ,