Security/Automatic Private Browsing Upgrades

The goal of this feature is to provide a way for website authors to tell Firefox that the site should only be viewed while in Private Browsing.

A bit like HSTS but for local attackers.

Delivery Mechanism

We define a new require-private CSP directive. It can be delivered as an HTTP header:

Content-Security-Policy: require-private

or as a meta tag inside the page's head:

<head>
  <meta http-equiv="content-security-policy" content="require-private">
</head>

Note on fingerprinting

This is not meant as a way for a site to probe whether or not the user is in Private Browsing mode. It could be used for that, but using it would cause some pretty major UX disruptions.

There are three ways to trigger it:

• Typing a URL in the address bar and pressing Enter
• Opening a bookmark
• Clicking a link

Once triggered, the following happens:

1. We open the "protected" URL in a new private browsing window

 # In this private browsing window, we show a message saying that the user was upgraded because the site owner has asked for it

1. The original tab is navigated to about:blank (or maybe closed if it doesn't have any history)
2. We delete the protected URL from the history
3. We purge all site data (cookies, localStorage, cache, etc.) associated with the protected URL

Example websites that might be interested:

• https://womensrefuge.org.nz/WR/Legal/Internet-Safety
• http://shakti-international.org/how-to-hide-my-visit/
• http://www.kidshelpphone.ca/Teens/AboutUs/How-to-Keep-it-Private.aspx
• http://www.childline.org.uk/explore/onlinesafety/pages/covertracks.aspx

Example websites without tutorial on hiding your tracks:

• https://rainn.org/

• Initial idea (W3C Privacy Interest Group)
• Blushproof: detecting when private browsing should be used and prompting users
• Clear Site data: new spec to allow sites to clear site data themselves
• Upgrade insecure requests: another spec which defines a new CSP directive