On Monday 11 Jul 2011 21:46:10 Matthew Toseland wrote: > It looks like the original justification for this is somewhat less now, since > Firefox 4 and later *mostly* fix the CSS history leak. They don't eliminate > all possibilities, there are some options if you know what url you are > looking for, but probing hundreds of editions via javascript or image loading > doesn't work. > > Having said that, it does make sense to launch the browser in privacy mode if > possible. E.g. to prevent history being written at all. > > Going to privacy mode manually saves all tabs, and they can be got back by > manually exiting privacy mode or restarting the browser. > > Also, firefox -privacy <url> for me on ff5 on windows just opens another tab, > without using privacy mode. Much the same as (some older versions of?) > Chrome. The bug reporter was using 3.6. > > All this changes things somewhat. See the bug: > https://bugs.freenetproject.org/view.php?id=5209 > Given that: 1) -private doesn't work anyway on FF5 if there are other tabs, it just ignores it, like Chrome used to, and 2) It does clobber the other tags in ff3.6 (according to the bug reporter, we should test this), and 3) The CSS history leak doesn't happen with ff4+ (or is very hard to exploit at least), and 4) We would like to use privacy or incognito mode nonetheless as it should result in the browser being more careful, and in particular it won't record history ... The easiest solution would appear to be to not use -private with ff3.6+. Maybe we should test it with 3.6, 4 and 5 - if on 4 and 5 it merely ignores the private flag, that's at least not destructive, we could only use it on 4+???
Another option is to have a checkbox in the installer. BOTH OF THESE SOLUTIONS SUCK! So we're back to where we started. :( Telling them to use Chrome sucks too. It's not widely available on linux yet, and it's not clear whether it has the CSS history fix. Are there any other options? :( -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: This is a digitally signed message part. URL: <https://emu.freenetproject.org/pipermail/devl/attachments/20110712/a0f8e575/attachment.pgp>
