-
-
Notifications
You must be signed in to change notification settings - Fork 356
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Activate the persistence of the tabs between sessions also in always incognito mode #1516
Comments
@csagan5 the patch is very simple, and it pretty much builds on that
already tried and it works, but the frills are missing, before I go on I would like to know what you think. |
I think that there is risk we might miss something present in current Chromium incognito mode design that makes this less safe from privacy perspective; this applies to both this feature and the history-in-incognito one. When we were discussing that I mentioned that there are lots of URLs nowadays that contain user-identifying data in the URL. You can continue developing this, although I see a slippery slope here:
What will you say when there is a feature request about keeping cookies? |
in your opinion, what should I check?
Certain.
as I am, I would say ok, there are use cases for which it would make sense, such as accessing corporate sites. |
I do not know, it is the risk of the "unknown". Unfortunately we do not have access to the design docs of the incognito feature and they might be outdated anyways; the source code is the only truth.
The former is hard because of the display small size, the latter cannot be done by a browser, the querystring can simply be obfuscated. Feel free to continue with the PR, but I would probably also not go further e.g. no cookies in future. |
@uazo would you like to submit a PR for this? However we should not save also cookies, the modified incognito mode with history and keeping tabs has dangerously become too similar to the normal browsing mode. |
yes, I'm working on it. the idea is
probably the new page can also be called up from the history page |
Bromite is neutral in regards to user navigation, it cannot do this.
This sounds horribly complex. I am not so sure anymore about this feature. |
I told you, I'm undecided too
no it is not. |
Incognito mode has always been "ephemeral", in the sense that nothing is written to disk permanently when browsing. This concept was already attacked successfully the first time with the addition of history, recents and offline pages. Persisting tabs is something going 100% against the "ephemeral" nature of incognito sessions so - complex or not - I do not think this should be added to Bromite. This would basically create the functionality of "delete everything on exit", just in a different form. |
let's talk about this (I thought I already said that): for me it is not like that. for me the (always) incognito is a way to be ephemeral with the sites, not with the device, which is mine and I manage it best.
no, it is not the same thing, because in addition the chromium developers minimize the data exposure with the incognito mode. |
Once you have tabs, history, recents and offline pages in incognito mode what is the difference with non-incognito mode from the perspective of sites? I am looking specifically at:
|
trick question? I do not understand... |
No, I am referring to "no way to connect between sessions": what information do sites have? What is the practical difference between incognito mode with even tabs restored vs "delete everything on exit"? |
I understand, in addition to those we save to disk and which could be deleted at startup? nothing else, assuming that everything is really erased. because the difference is that in incognito it is not really written
the help of the chromium/blink team who disable some privacy issues before us with incognito mode. |
I am not sure about that, because incognito mode was designed to not have tab states restored. For example as you also mentioned: what is the point of erasing certain information on restart if the tab state contains it? (cookies, submitted user data etc) Whatever improvements are made in incognito mode by design are null and void once we start adding these "features" that in reality will fool the users thinking that they are somewhat more protected in terms of privacy. |
the status of the tab is not resumed, only the navigation link.
why do you say so, it's not true. browsing anonymously covers privacy issue by not saving anything on disk, and anything unsaved is not recoverable from the sites |
That is only 1 feature and it protects from someone stealing or finding your phone, turning it off, opening it and then attaching a device to the memory soldered on your phone and extracting the content (assuming that you do not have Android device encryption enabled, see also: https://source.android.com/security/encryption/full-disk). There are also other features related to online browsing, and those can be affected by changing functionality like it has been done so far and planned to be done in this issue.
Ok, so the only persisted information is what is present in URL. |
because you are optimistic and you think we find them all ...
yes, or so it will be. |
No, I am saying that we cannot find them all and thus we are changing things we do not understand: the policy you want to take advantage from is only valid if some prerequisites are met, and these changes will violate that. There is not just "do not save in incognito mode", there are also other changes in place that increase privacy when in incognito mode. |
sure. but the original question was "way to connect between sessions": without data exchanged there is no way, let's say, in an "active mode", correct?
an example? |
The functionality we have enabled or now would enable (tabs restore) was not designed with incognito in mind, so it is a matter of not assuming that there is none and proving it instead.
I am referring to everything else which is not about storing in the profile data. You can search the code for any check "is incognito?" and see whether it is about storing something in the profile data or a more general privacy concern of something that should not happen when in incognito. |
you can't help but foresee the incognito mode, in the chromium code it is too tied to basic concepts like profile or partitionstorage. and I have never found in the code assumptions of the type, if the history is active then you are not in incognito mode, but if I find it surely I will tell you.
are you telling me that the function that activates that patch does it have any impact on how incognito mode works? |
We have already had this conversation, see #695 (comment) (related: chromium/chromium@48d4ae5)
The question is: how to make sure that the tabs restore will not conflict with existing other functionality that protects privacy in incognito? The example I made is smart selection that is disabled in Chromium in incognito mode because it would leak some information. There are other cases where a functionality is disabled only in incognito and the reason is (more or less) documented in code or commits. |
if linked to always incognito, a control must be present to validate it. |
The setting gives the user the choice but user 100% expects that privacy and security are not diminished even when toggling this.
It is a re-definition of always-incognito mode; perhaps it is time to create a wiki page for it, explaining everything about what always-incognito means in Bromite and what happens with all these options?
No, I also expect that you look into what you are changing; as you remember we have disagreed on what constitutes a privacy leak before, so you cannot propose a change without checking the impact, it effectively leaves the task to me (which I will do anyways) but if you have also looked into the parts you are changing from design perspective that helps. It is a situation of "make the minimal change so that the feature works" vs "make the change and also look how code works to understand if there are any privacy or security problems involved"; I prefer the latter and I never know if you have done that investigation or not because the PRs or patches do not contain much information. |
Have you seen this old conversation? The answer to your question is: yes. Chromium developers disable smart selection when in incognito because it would leak information. Do you understand what I am talking about when saying "everything which is not about the storage"? |
I will wait for your replies to the above comments; meanwhile I have checked the codebase (to the best that I could) and could not find anything which would become less privacy-safe with the feature. Will check again the specific parts if you submit a PR. |
the user expects badly, 100% cannot be assured, bugs are always present. we do our best, but it's not always easy.
simple, the activation of those functions even in incognito, done.
Of course I do.
we have no way today, for sure, to declare that our changes do not impact privacy or security, aside from our own subjective checks.
just ask me. I try to verify every possible path modified by my interventions, but I have no way to describe it in the best possible way.
and it always is, with or without that patch https://source.chromium.org/chromium/chromium/src/+/main:content/public/android/java/src/org/chromium/content/browser/selection/SmartSelectionClient.java;l=66;drc=7fb345a0da63049b102e1c0bcdc8d7831110e324 |
I wrote that user expects fully that privacy and security are not diminished when toggling a specific feature of this always-incognito mode. Incognito mode cannot be "less incognito" when something is enabled or disabled.
I have a different consideration for the necessary level of quality and statements like this are showing it more evidently.
The only thing I can do is to call for more scrutiny and do more scrutiny, and that is what I am doing. The goal is to avoid bugs like #1942 (and worse) as best as we can; there is no individual blame but there must be responsibility, any PR cannot be merged in a reckless fashion.
That's what I ask in every PR when I cannot figure out the changes.
In the patch description there is a reference to this Chromium commit that says:
Back then when I developed this patch I concluded that web search is disabled in incognito for the same reason, however I cannot find any clue about this. It could be either by design (incognito searches are not trackable so detrimental from product perspective) or because back then there was some other technical reason to do this. The git history leads to the source being imported from SVN so we will never know. The intent of the patch was:
However it looks like nothing is passed to the TextClassifier in incognito so the above was misled. In conclusion: please open a PR for this issue as well and we will discuss the technical details there. |
I like the way you work, and although we don't get along sometimes, we are a team with the same goals and different visions
we should seriously invest in test cases, and maybe in the future we will have enough time to do so.
sure I will |
Sure, I am very happy of your contributions and would like more people to join as well! As for the different visions: in some cases, like for the non-privacy-related patches, I would love to have more of that but in the boundaries of this project I am forced to stick to the project mission about privacy.
For this purpose I have developed some new tooling and I am thinking when to release it because it would open the door to not just support requests about the browser but also about the building process. I am trying to figure out if it will be beneficial for browser freedom in general (with more open source work on browsers like Bromite) or just a drain of free support.
Which patches do you have in mind, maybe I can help? Do you refer to safe browsing and binary blobs patches perhaps? Upstream decided long ago to remove all build flags related to that...
I remember you mentioned this earlier; Iridium browser was also using a similar approach. Does all traffic have these tags?
Slightly related: the audio fingerprinting mitigation patch breaks rendering of sites like this one: https://persepolis.getty.edu/ |
magari...
are you referring to the bottom toolbar? I've already told you, I'll take care of keeping it updated (as I'm actually doing). you might even make some exceptions, every now and then :) but that's okay, don't worry
unfortunately I don't know how to help you in the decision, but you can always do as the webview (no support), personally I would not see anything wrong with it.
yes
I didn't know it
yes, and they are introducing it also on the java side. among other things, the development of such a filter doesn't even seem that complex
I have seen the implementation of brave, I have developed a small utility to see the changes directly in the chromium code. |
I sent you a message about this on Reddit. In short: yes, exceptions can be made, you can submit the PR.
I would like more people to build Chromium/Bromite, but I also do not want to open a "Discord for building Chromium for newbies" place.
For safe browsing: yes. For binary blobs: maybe there never was such a build flag.
That's interesting; we have already discussed this in the past and my concern was/is also that the code might go into crazy loops trying to send traffic that we block via tags. But it could indeed be used as a second protection and/or to find new privacy-invasive features.
👍 |
ah! notifications NEVER arrive... ok!
uao, does that mean you made it extremely simple? I'm curious...
exactly. and maybe we could also remove the seek and replace patch ... |
Nothing miraculous but if you have the necessary hardware it should be quite well automated when using the official build automation (both for builds and patches maintenance).
The URLs reached from JavaScript would not be covered though. |
which url? do you mean by the user's navigation? about a way to block url from javascript I'm researching on tensorflow (although I don't understand that much), but I also found https://github.com/polcak/jsrestrictor |
The browser has some HTML and JS files that are used on some pages (similar to the Proxy UI one) that also contain domains that are replaced automatically by that patch. In fact you can check that a lot of the files replaced there are not java or C++ files.
I think this would be too complex/invasive to integrate. |
if you are referring to the webui it is only on the desktop side |
I found where (and what) persists between sessions: way to remove out:
or like StripReferrerFromPageState |
I am glad you found this, but this is for me evidence that there is too much surface for bugs if this functionality is added. Incognito mode should not be made more similar to normal mode, and normal mode should not be made more similar to incognito mode. I know that we have some functionality in these directions but it's not useful for the users when it diminishes their privacy or security. |
as you can see I am checking very carefully, I have not yet prepared any patches, but the intention is that when I'm safer.
for me, the use of the regular mode decreases the user's privacy, you know i think always incognito should be the default in bromite. Surely the lack of tests is very frustrating and unfortunately very serious for a browser :(. I'm working on this too, I also saw that wchen342 has made progress |
This feature would store the tabs state unencrypted on the device; incognito mode has always had the feature to not store that on the device. How is this an improvement of incognito mode? |
maybe we don't understand each other because it's the wrong word, let's try to call it in another way, for example, "bromite mode". lately I rely on this, surely you know https://2019.www.torproject.org/projects/torbrowser/design/
and I think it can be done, however it is really a choice of field (scelta di campo, si dice così?) my idea is:
so could it be an improvement of always incognito? |
Is your feature request related to privacy?
Yes, improving the always incognito mode
Is there a patch available for this feature somewhere?
No
Describe the solution you would like
I am able to enable to keep tabs between sessions in always incognito mode, and the idea is to connect it to the "Enable History" flag
Describe alternatives you have considered
currently the "normal" tabs are saved in an unencrypted file in the data directory, while the "anonymous" ones in encrypted mode with a key that changes each time the browser is started.
the latter mode does not allow me to reread the content after each browser reboot.
since I don't want to change that logic, I would prefer that the tabs are saved unencrypted only if both flags are active.
from the point of view of privacy I see no problems, since the history itself is kept in unencrypted mode.
the patch will have to obey the will not to save tabs if the "Close tabs on exit" flag is active.
The text was updated successfully, but these errors were encountered: