Firefox 3.5 included the Private Browsing feature for the first time. As I've already written about it, Private Browsing is a mode in which Firefox does not record any data which can reveal the sites and pages that users have visited. So, whenever you want to browse without leaving a trace on your computer, you put Firefox into the Private Browsing mode, and rely on Firefox to keep its promise and not record any revealing information about your browsing activities. Now, with extensions introduced into the picture, things are a little bit more complex.
In general, there is no way for Firefox to be able to automatically detect whether extensions are honoring the Private Browsing mode or not. The same is true in almost every other functionality provided by the browser. That is why we've been using human inspection in reviewing the extensions submitted to AMO, to make sure that extensions do not impair the functionality provided by the browser.
After a lengthy discussion with the AMO editors, we have decided to modify the AMO add-on submission policy to reflect that extensions should honor the Private Browsing mode in order to be listed publicly on AMO. While most extensions will not need any modifications for supporting Private Browsing (because they don't record any data revealing users’ browsing activities), there are some which require some changes, and we appreciate the fact that the change cannot happen overnight. Therefore, we've tentatively decided to give a two-month grace period to add-on authors before we actively start to reject extensions incompatible with the Private Browsing mode.
This means that during this grace period, if a reviewer comes across an extension which complies with the submission policy in every respect except for Private Browsing support, one of the following will happen depending on the status of the add-on:
- For add-ons nominated to become public for the first time, the add-on will be rejected.
- For updates to existing public add-ons, the update will be approved with the additional note to the author stating the incompatibility of the add-on with Private Browsing, and that it must be fixed in the next version of the add-on.
Please note that while the decision is not yet final, it's been discussed extensively and is likely to be put into effect soon.
Now, let's take a moment to talk about what it means for an extension to support the Private Browsing mode. Basically, extensions need to ensure that no sensitive data is recorded inside the Private Browsing mode. You would of course get a different answer depending on who you ask about what sensitive data are, but we're tried to keep a well-defined scope for this term in Firefox. Basically, we consider data which fits into one of these five categories as sensitive, and refrain from saving such data to disk inside the Private Browsing mode.
- The data which includes things like the URL of pages that the user has visited. Example of such data inside the Firefox includes browsing history, and download history. Note that in this case, we usually remember the things that the user explicitly asks us to save (like bookmarks), but try to eliminate the visited-ness traces if possible (e.g., we save bookmarks as unvisited bookmarks, which can also be created by adding a bookmark from the Library window and entering a URL manually.)
- The domains of websites which the user has visited. Example of such data inside Firefox includes the content preferences service, which stores preferences (such as the zoom level) for an Internet domain. We usually refuse to remember such settings inside the Private Browsing mode.
- The content of the web pages that the user has visited. Example of such data inside Firefox includes the network cache. We usually try not to write the content to disk inside the Private Browsing mode, and in the case of cache, we still keep the in-memory cache around for the duration of the Private Browsing mode.
- Other data related to web pages that the user has visited. Examples of such data inside Firefox includes the cookies, which we only store in memory inside the Private Browsing mode.
- Other data which is used to customize the Firefox UI based on what happens inside the Private Browsing mode. Examples of such data inside Firefox includes the path of the last download directory, which is used to initialize the file picker to that directory for future downloads. We usually refuse to store this data inside the Private Browsing mode, although we retain the data in memory for the duration of the Private Browsing mode in order to provide a seamless UI functionality to users.
The AMO reviewers will be reviewing each submitted add-on based on the criterion of whether it persists any data belonging to the above categories on disk. Although after reading the list, supporting Private Browsing mode in an extension might seem overwhelming, it actually isn't that hard! Basically, if an extension is using one of the APIs provided by Firefox or Gecko, it's already safe, because we've been careful to make sure that our APIs handle the Private Browsing mode in a graceful manner. There are several resources for add-on authors who need to know more details about how to support Private Browsing mode in their extensions. Make sure to keep these resources in mind, and use them:
- Supporting Private Browsing mode on MDC
- nsIPrivateBrowsingService documentation
- The dev.apps.firefox mailinglist, where you can ask your questions and I and others will be answering you