Privacy/Reviews/New Tab
Contents
Document Overview
Feature/Product: | New Tab |
Projected Feature Freeze Date: | (tbd) |
Product Champions: | Tim Taubert & Asa Dotzler |
Privacy Champions: | David Dahl & Sid Stamm |
Security Contact: | Curtis Koenig |
Document State: | [AT RISK] needs resolutions |
Timeline:
Architectural Overview: | done |
Recommendation Meeting: | (date TBD) |
Review Complete ETA: | 1-June-2012 |
Architecture
In this section, the product's architecture is described. Any individual components or actors are identified, their "knowledge" or what data they store is identified, and data flow between components and external entities is described.
The main objective of this feature/product is:
The New Tab Page will be shown to the user when opening a new tab. It shows up to nine of the user's most visited URLs together with their thumbnails. The user can re-arrange or remove these sites. URLs can be blocked from appearing on the New Tab Page again. Any URL can be dropped onto the grid.
Design Documents:
http://people.mozilla.com/~shorlander/files/new-tab-prototype-i03/new-tab-prototype-i03.html
Components
Describe any major components in the system and how they interact. Also include any third-party APIs (those Mozilla does not control) and what type of data is sent or received via those APIs.
Note: All the components listed below are parts of the browser and are not third party services or software.
about:newtab
This is a normal web page that is presented to the user when opening a new tab. It accesses the Places component to retrieve the user's most visited sites and displays them. The thumbnail service is queried to retrieve a thumbnail for the URLs shown on the New Tab Page grid.
Stored Data:
What | Where |
---|---|
URLs that should not be shown | localStorage for about:newtab |
URLs with specific positions | localStorage for about:newtab |
Communication with Places
Direction | Message | Data | Notes |
---|---|---|---|
In: | 100 most-visited sites | List of URLs and titles |
Communication with Thumbnail Service
Direction | Message | Data | Notes |
---|---|---|---|
Out: | URL of the page to get a thumbnail for | string | |
In: | Path to the thumbnail for a given URL | string/nsIFile |
Thumbnail Service
The thumbnail service captures thumbnails of web pages while the user navigates through the web. The currently displayed web content is captured and written to disk as a PNG file.
Stored Data:
What | Where |
---|---|
Thumbnails as raw PNG files | $PROFILE/thumbnails/ directory |
Communication with about:newtab
Direction | Message | Data | Notes |
---|---|---|---|
In: | URL of the page to get a thumbnail for | string | |
Out: | Path to the thumbnail for a given URL | string/nsIFile |
User Data Risk Minimization
There is a patch for NOT caching data from SSL-enabled pages. This takes care of most of the problem with this feature.
See (for privacy concerns and ideas): bug 754608
Alignment with Privacy Operating Principles
In this section, the privacy champion will identify how the feature lines up with Mozilla's privacy operating principles.
See Also: Privacy/Roadmap_2011#Operating_Principles:
Principle: Transparency / No Surprises
A user may be surprised to see the thumbnails the first few times, but will get quite used to seeing this feature. It does not show sites the user hasn't visited, so they won't be surprised with "suggestions".
Risk: Users' private browsing history may be leaked from private browsing mode to regular mode through thumbnails that are created.
Requirement: Verify that this feature does not create and store new thumbnails during private browsing mode.
Principle: Real Choice
Users should have control over whether or not this feature is active.
Risk: Users will not like this feature but will not be able to disable it.
Requirement: Create a mechanism so users can disable this feature.
browser.newtabpage.enabledPrinciple: Sensible Defaults
It is reasonable to enable this by default, since users tend to re-visit a few sites.
Risk: Thumbnails may contain private data, though, so where possible, thumbnails with sensitive data (such as bank account ledger, private emails, private photos, etc) should not be shown.
Requirement: Do not create and display thumbnails for pages displaying sensitive data. If possible, do not create thumbnails behind user log-in, or at least not for SSL sites where users have cookies set.
Principle: Limited Data
The data being collected is only that needed to display the thumbnails (this data already exists in the browser except for the thumbnail images).
Risk: Too many thumbnails will be stored and some may potentially have some sensitive or invalid data in them. By keeping very old thumbnails in the user's profile, we run the increased risk of disclosing sensitive information to someone sifting through the browser profile on the local machine.
Recommendations: Ensure that thumbnails that are no longer used are deleted from the users' browser profile.
Follow-up Tasks and tracking
What | Who | Bug | Details |
---|---|---|---|
[NEW] Initial Overview Discussion | ? | Meeting time TBD |