Removing the "Clear history when Firefox closes" option

[Brian Smith]

[reposted to dev-apps-firefox on Asa's request, with minor changes. Please reply there if you object to doing this]

This option is present in Options > Privacy > History and it has many sub-options.

There are several problems with this option. The three biggest ones are:

1. We cannot clear this stuff when Firefox closes, if Firefox crashed or was killed by the operating system. Note that getting killed is especially common on Android. We don't have any way to fix things for the user here after a crash/kill.

2. When Firefox does close normally, clearing these things from disk takes an unbounded amount of time, potentially several seconds or even over a minute. During this time, we have to either choose to block the UI, add copmlexity to the feature (and UI) to make it interruptable, or we have to leave Firefox running in the background to do the cleanup. (This last option would result in users getting the "Firefox is already running" prompt if they try to launch Firefox during the cleanup.)

3. Users do not understand the difference between permanent private browsing mode and "clear history when Firefox closes," and in particular, they are unlikely to understand the problems mentioned above. See [1] for some evidence.

I propose that we remove this option, and make the existing "Always use private browsing mode" option more visible. The preference(s) that control the removed feature would become synonyms for the "Always use private browsing mode" preference(s). I believe this will meet users privacy needs in a more effectively, it would avoid all three of the above problems, and it would be less to maintain.

I propose that we do this in Firefox 11.

- Brian

[1] http://forums.mozillazine.org/viewtopic.php?f=8&t=2203523

[Michael Lefevre]

On 04/12/2011 18:15, Brian Smith wrote:
> 3. Users do not understand the difference between permanent private
> browsing mode and "clear history when Firefox closes," and in
> particular, they are unlikely to understand the problems mentioned
> above. See [1] for some evidence.

[...]
> [1] http://forums.mozillazine.org/viewtopic.php?f=8&t=2203523

I know this is only one of your three points, but a single user report
seems rather insignificant to qualify as "some evidence".

> I propose that we remove this option, and make the existing "Always
> use private browsing mode" option more visible. The preference(s)
> that control the removed feature would become synonyms for the
> "Always use private browsing mode" preference(s). I believe this will
> meet users privacy needs in a more effectively, it would avoid all
> three of the above problems, and it would be less to maintain.

A question - how does plugin support for not storing cookie-type things
in private browsing mode compare with plugin support for clearing
cookie-type things on close?

Clearing on close has a set of check boxes where the user can choose to
what to clear, allowing them to clear, for example, cookies but not
history. Private browsing doesn't provide that control, does it?

However, there are already a bunch of third party programs that can do
the "clear on exit" type of thing, so I guess that people that want it
can use those instead of a built-in feature. I guess it could also be
done with an add-on...

Michael

[Michael B.]

Speaking as one of the people who uses the "clear history when Firefox
closes," I would be very upset if this were removed and replaced with
private browsing. I never use private browsing, nor would I ever use it.
With private browsing, much of the web breaks. In order for many sites
to work, cookies and what not must be stored. With the option, as it is
now, I can allow cookies to be saved so that the web works, then have
them automatically deleted when I close Firefox. Most video sites (not
most major ones in America,) require cookies. Almost any website you log
into, whether it's a bank, online broker, or Facebook (I'm not sure if
Facebook still doesn't work without cookies, but I know it used to at
one point), doesn't work right without cookies. The option, as it exists
now, is an awesome way to protect one's privacy while still having the
web work. If it were just "always use private browsing mode," then it
wouldn't be a very useful option because you couldn't do much more than
web surf.

[Matt Brubeck]

On 12/04/2011 03:40 PM, Michael B. wrote:
> With private browsing, much of the web breaks. In order for many
> sites to work, cookies and what not must be stored.

Cookies do work in Private Browsing mode. They aren't saved to disk,
but they are stored in memory as long until the browser is closed (or
the private browsing session ends).

Firefox's private browsing mode is specifically designed not to break
web sites or to cause any differences in behavior that would let sites
know you are using private browsing.

> Almost any website you log into, whether it's a bank, online broker,
> or Facebook (I'm not sure if Facebook still doesn't work without
> cookies, but I know it used to at one point), doesn't work right
> without cookies.

These sites will still work in private browsing mode. I verified this
by logging in to Facebook and to several banking sites and using them
while private browsing was active.

(Michael's post is more evidence in favor of Brian's claim that
"users do not understand the difference between permanent private
browsing mode and 'clear history when Firefox closes'.")

[Michael B.]

Hmm...actually, in my case, I used to use private browsing in nighties
when it was first created, but stopped when I got tired of the issues
I've described. Things have probably changed since then. Maybe I had
those issues because of bugs, considering it was still under development
at the time.

[Marco Bonardo]

On 04/12/2011 19:15, Brian Smith wrote:
> I propose that we remove this option, and make the existing "Always use private browsing mode" option more visible. The preference(s) that control the removed feature would become synonyms for the "Always use private browsing mode" preference(s). I believe this will meet users privacy needs in a more effectively, it would avoid all three of the above problems, and it would be less to maintain.

There is some difference between the two modes, that should be analyzed
and fixed before the switch. For example history is completely disabled
in PB mode, thus you don't get visited links coloring or the history
menu, nor you can search the awesomebar for history.
I suppose other services may have similar missing features. So, while
this is a valid change request, it should take into account changes that
should be made to the various subsystems to make them similarly usable,
before doing it.

-m

[EE]

I would not mind if the one in the Preferences/Options were removed, as
long as the data removal item in the Tools menu is still there. That is
the one I actually use. I prefer to clear data on a voluntary basis,
rather than automatically.

[Ehsan Akhgari]

Hi Brian,

So, as other people have mentioned, permanent private browsing is not
really equivalent with the "clear on exit" option in every case. To give
you an example, if you choose to clear history but not cookies, when you
restart Firefox, you would still be logged in to your web services, but
with permanent private browsing, you need to login again each time you
restart your browser. There are other examples as well. The main source
of difference is that private browsing is a holistic measure, whereas the
"clear on exit" option gives you fine-grained choices.

Talking about the problems that you have mentioned, number 2 is a huge
problem, which is really hard to address. We can sort of address number 1
by looking to see whether the last session was closed gracefully at startup
and clean the data at startup rather than shutdown if it was not. I think
that the most important question is the 3rd item on your list, and that
mostly falls in the UX field, but in my personal opinion trying to simplify
the private UI in any manner is a noble effort.

Cheers,
--
Ehsan
<http://ehsanakhgari.org/>

> _______________________________________________
> dev-apps-firefox mailing list
> dev-apps...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-apps-firefox
>

[Jason Duell]

I don't have a strong opinion on whether to get rid of the "clear
private data" option, but here are some thoughts on some specifics:

> number 2 [time delay while deleting data] is a huge

> problem, which is really hard to address.

Why don't we just pop up a "Clearing private data" box at shutdown if
the user has selected it and it's taking more than a second or so?
I'm not a UI guy, but this doesn't seem like such a huge deal to me.
Tinfoil hat users might even appreciate the evidence that their data
is being scrubbed :) (The story for data deletion when we're killed
on Android or crash is less fabulous, but we still handle the common
leak case--the next user won't see your data when they run the
browser. Users who really want forensic-level data deletion are going
to need stronger tools than a simple filesystem delete anyway).

We still wouldn't want such a dialog to sit there for minutes. But if
you clear your browser's cache every time you exit, then it will
presumably not be so massive that it'll take a really long time to
delete (seconds, not minutes). I'm adding telemetry for that, so we
can revisit. [I think we may also want to simply shrink our HTTP disk
cache down from 1 GB to something smaller, as the latency/"hang"
tradeoffs may not be worth it given that working set size of most
surfing sessions is probably much smaller than 1 GB--I've posted about
that to dev.tech.networking]

> So, as other people have mentioned, permanent private browsing is not
> really equivalent with the "clear on exit" option in every case.

Yes, the semantics are different and clear private data has finer
control. I'd suggest we add telemetry to see how many users are
actually using it. Even if it's better/different we might still want
to get rid of it if it's not used much and is causing us engineering
difficulties. (For instance: if we crash, the cache is marked as bogus
and we don't use it on startup. Is that true for cookies/history/form
data as well? I suspect not but I don't know.)

Jason

[Jason Duell]

We could also have a special disk cache size limit *only* for users
who've selected to clear the cache at each shutdown...

Jason

[Justin Dolske]

On 12/4/11 10:15 AM, Brian Smith wrote:

> I propose that we remove this option, and make the existing "Always
> use private browsing mode" option more visible. The preference(s)
> that control the removed feature would become synonyms for the
> "Always use private browsing mode" preference(s). I believe this will
> meet users privacy needs in a more effectively, it would avoid all
> three of the above problems, and it would be less to maintain.

I'd want to ponder this a little more deeply before committing to it,
but this seems a reasonable direction to me. I'm pretty sure limi (UX)
has mentioned wanting to do this too... We have a myriad of confusing
"things to do on shutdown" options, and the interactions are often not
clear. (And, as you noted, the difference between permanent PB mode and
this is somewhat subtle/confusing.)

The once concern that comes to mind immediately is that I'd want to
understand how many users currently use this pref, and what their use
cases are. For example, cookies have an old reputation as being some
kind of evil tracking thing, and "clear (just) cookies at shutdown" is a
pretty clear choice I could see people making.

But if there are things we want to keep, there might be better ways to
represent it. Or implement it... The first 2 of your 3 problems are
basically technical details users don't care about.

Justin

[Brian Smith]

Ehsan Akhgari wrote:
> So, as other people have mentioned, permanent private browsing is not

> really equivalent with the "clear on exit" option in every case. To
> give you an example, if you choose to clear history but not cookies,
> when you restart Firefox, you would still be logged in to your web
> services, but with permanent private browsing, you need to login again
> each time you restart your browser. There are other examples as well.
> The main source of difference is that private browsing is a holistic

> measure, whereas the "clear on exit" option gives you fine-grained
> choices.

I agree. Let me refine my proposal:

Instead of "Clear history when Firefox closes" deleting things off disk at shutdown, this option and its sub-options would prevent the data from ever being written to disk. For example, if you have the cache sub-option checked, then the disk cache would be disabled. If you have "clear cookies when Firefox closes" checked, then cookies would never be written to disk.

I think, if you had all the options checked, then the feature would work very much like permanent private browsing mode. So, actually, we could leave this option, with the semantics changed to the above, and then remove the permanent private browsing mode option, as it would be redundant. To implement the above semantics, we would use the private-browsing mode code for each component (cookies, cache, etc.), so it would be little work.

- Brian

[Brian Smith]

Jason Duell wrote:
> Why don't we just pop up a "Clearing private data" box at shutdown
> if the user has selected it and it's taking more than a second or so?
> I'm not a UI guy, but this doesn't seem like such a huge deal to me.

I agree it isn't a huge engineering project to add such UI. But, I kind of think that the main UI problem may be too much UI for this already (i.e. too many confusing privacy options). Even in my last email, I managed to misunderstand them.

> Tinfoil hat users might even appreciate the evidence that their data
> is being scrubbed :)

I think tinfoil-hatters would rather that the data was never written to disk at all, since writing-then-deleting is prone to failures.

> We still wouldn't want such a dialog to sit there for minutes. But
> if you clear your browser's cache every time you exit, then it will
> presumably not be so massive that it'll take a really long time to
> delete (seconds, not minutes).

I agree that this is is something we can do to usually reduce shutdown time. But, I think that instant-startup and instant-shutdown are very important for some very important use cases, like updating the browser. I think we need to look at what is driving the overall goal of shortening shutdown time (IIRC, to zero), and see how this feature fits in with that.

- Brian

[Brian Smith]

Brian Smith wrote:
> I think, if you had all the options checked, then the feature would
> work very much like permanent private browsing mode. So, actually, we
> could leave this option, with the semantics changed to the above, and
> then remove the permanent private browsing mode option, as it would be
> redundant. To implement the above semantics, we would use the
> private-browsing mode code for each component (cookies, cache, etc.),
> so it would be little work.

Here is yet another way of looking at this:

Currently, there are already a bunch of sub-options for permanent private browsing mode, that correspond closely to the sub-options of "clear history when Firefox closes." If we ensured that we had a sub-option for permanent private browsing mode for each sub-option of "clear history when Firefox closes," then, IMO, that would be sufficient and the "clear history when Firefox closes" options would be very close to being low-performance, low-assurance duplicates of the private browsing options.

- Brian

[Jason Duell]

What can we do to move this forward? I can see the following action
plans

1) We remove the "clear private data on shutdown" option.
2) We add UI saying "deleting private data" when it's taking > N
seconds.
3) We add telemetry to see how popular the option is, and revisit this
in 6 weeks with data in hand.

Jason

[Žiga Seilnacht]

On Dec 8, 6:36 am, Justin Dolske wrote:
> On 12/4/11 10:15 AM, Brian Smith wrote:
>
> > I propose that we remove this option, and make the existing "Always
> > use private browsing mode" option more visible. The preference(s)
> > that control the removed feature would become synonyms for the
> > "Always use private browsing mode" preference(s). I believe this will
> > meet users privacy needs in a more effectively, it would avoid all
> > three of the above problems, and it would be less to maintain.
>
> I'd want to ponder this a little more deeply before committing to it,
> but this seems a reasonable direction to me. I'm pretty sure limi (UX)
> has mentioned wanting to do this too... We have a myriad of confusing
> "things to do on shutdown" options, and the interactions are often not
> clear. (And, as you noted, the difference between permanent PB mode and
> this is somewhat subtle/confusing.)
>
> The once concern that comes to mind immediately is that I'd want to
> understand how many users currently use this pref, and what their use
> cases are. For example, cookies have an old reputation as being some
> kind of evil tracking thing, and "clear (just) cookies at shutdown" is a
> pretty clear choice I could see people making.
>

I use it exactly for this purpose, but I could live without it if the
"Keep [Cookies] Until: I close Firefox" option on the Privacy Options
tab would more closely match its functionality. Specifically, it
should
send the notification to Flash to clear LSOs on browser exit.

Regards,
Ziga

[Benjamin Smedberg]

On 12/8/2011 7:52 PM, Jason Duell wrote:
> What can we do to move this forward? I can see the following action
> plans
>
> 1) We remove the "clear private data on shutdown" option.
> 2) We add UI saying "deleting private data" when it's taking> N
> seconds.
> 3) We add telemetry to see how popular the option is, and revisit this
> in 6 weeks with data in hand.

4) When the user has chosen to clear private data at shutdown and that
includes cache, just disable the disk cache and use only the memory cache

--BDS

[Robert Kaiser]

Brian Smith schrieb:

> Instead of "Clear history when Firefox closes" deleting things off disk at shutdown, this option and its sub-options would prevent the data from ever being written to disk.

I think that's not true for plugin (Flash) data, which doesn't know
about private browsing, AFAIK, but which, from what I heard, is one of
the biggest offenders to a fast shutdown when set to delete history at
shutdown. What's your plan for that?

Robert Kaiser

[Marco Bonardo]

On 09/12/2011 16:22, Robert Kaiser wrote:
> I think that's not true for plugin (Flash) data, which doesn't know
> about private browsing, AFAIK, but which, from what I heard, is one of
> the biggest offenders to a fast shutdown when set to delete history at
> shutdown.

Afaik, and just to confirm your thought, the disk cache (bug 648232) and
plug-ins LSO data (bug 633427) are the greatest offenders to clear
history performance.
-m

[Benjamin Smedberg]

We certainly exposed a method and events for Flash to determine when the
user switches to private browsing mode: I believe that Flash does
actually use this information.

--BDS

[Philip Chee]

Ah, didn't Adobe say they were working on a private browsing API for
their flash player plugin?

Phil

--
Philip Chee <phi...@aleytys.pc.my>, <phili...@gmail.com>
http://flashblock.mozdev.org/ http://xsidebar.mozdev.org
Guard us from the she-wolf and the wolf, and guard us from the thief,
oh Night, and so be good for us to pass.

[Ehsan Akhgari]

On Fri, Dec 9, 2011 at 10:52 AM, Benjamin Smedberg <benj...@smedbergs.us>wrote:

> On 12/9/2011 10:22 AM, Robert Kaiser wrote:
>

> We certainly exposed a method and events for Flash to determine when the
> user switches to private browsing mode: I believe that Flash does actually
> use this information.
>

That is correct.

--
Ehsan
<http://ehsanakhgari.org/>

[Robert Kaiser]

Ehsan Akhgari schrieb:

Cool, I didn't know that. Makes things easier for sure!

Robert Kaiser


--
Note that any statements of mine - no matter how passionate - are never
meant to be offensive but very often as food for thought or possible
arguments that we as a community should think about. And most of the
time, I even appreciate irony and fun! :)

[Taras Glek]

On 12/5/2011 11:12 PM, Jason Duell wrote:
> We could also have a special disk cache size limit *only* for users
> who've selected to clear the cache at each shutdown...

Is there a bug filed to do this? I also think we should aggressively
limit cache size for users of this option.


Taras

[Jason Duell]

> On 12/5/2011 11:12 PM, Jason Duell wrote:> We could also have a special disk cache size limit *only* for users
> > who've selected to clear the cache at each shutdown...
>
> Is there a bug filed to do this? I also think we should aggressively
> limit cache size for users of this option.

Filed bug 709262 for that.

> the disk cache (bug 648232) and plug-ins LSO data (bug 633427) are the greatest offenders
> to clear history performance.

The "Clear recent history" has a different issue (for disk cache at
least): in that case we're currently doing a (sync) eviction rather
than an async nsDeleteDir. Bug 648232 is the proper fix, and I've
filed bug 709297 for a workaround (lower disk cache max size for now)
if we don't get it fixed soon enough.

I still haven't gotten an answer to whether cookies/history/etc are
cleared properly if "Clear private data on shutdown" is selected, and
we're killed by Android (and I still suspect the answer is "no"), so I
think the issue of whether the option ought to be removed (and if not,
what needs to happen to properly support it) is still open. But I
think this covers the disk cache issues.

Jason

[Cyko_01]

I have to side with Michael B on this one. I use the "clear history
when firefox closes" in order to keep my cookies and active log-ins
because I find it very annoying to have to re-enter them all the time,
but I like to clear out all my other history stuff and cache. I don't
need a "porn mode" I just don't want porn stuff popping up in obvious
places of the UI. I too would be very upset if I was forced to use
permanent private browsing mode.

[Ehsan Akhgari]

On Fri, Dec 9, 2011 at 5:20 PM, Jason Duell <jduell...@gmail.com> wrote:

> > the disk cache (bug 648232) and plug-ins LSO data (bug 633427) are the
> greatest offenders
> > to clear history performance.
>

> I still haven't gotten an answer to whether cookies/history/etc are
> cleared properly if "Clear private data on shutdown" is selected, and
> we're killed by Android (and I still suspect the answer is "no"), so I
> think the issue of whether the option ought to be removed (and if not,
> what needs to happen to properly support it) is still open. But I
> think this covers the disk cache issues.
>

They are cleared properly on desktop platforms. We do not support Clear
History on Shutdown on Android.

[reallunce...@gmail.com]

[reallunce...@gmail.com]

On Friday, December 9, 2011 2:44:27 AM UTC+2, Brian Smith wrote:

[anjanicomp...@gmail.com]

On Sunday, December 4, 2011 11:45:22 PM UTC+5:30, Brian Smith wrote:
> [reposted to dev-apps-firefox on Asa's request, with minor changes. Please reply there if you object to doing this]
>
>
>
> This option is present in Options > Privacy > History and it has many sub-options.
>
>
>
> There are several problems with this option. The three biggest ones are:
>
>
>
> 1. We cannot clear this stuff when Firefox closes, if Firefox crashed or was killed by the operating system. Note that getting killed is especially common on Android. We don't have any way to fix things for the user here after a crash/kill.
>
>
>
> 2. When Firefox does close normally, clearing these things from disk takes an unbounded amount of time, potentially several seconds or even over a minute. During this time, we have to either choose to block the UI, add copmlexity to the feature (and UI) to make it interruptable, or we have to leave Firefox running in the background to do the cleanup. (This last option would result in users getting the "Firefox is already running" prompt if they try to launch Firefox during the cleanup.)
>
>
>
> 3. Users do not understand the difference between permanent private browsing mode and "clear history when Firefox closes," and in particular, they are unlikely to understand the problems mentioned above. See [1] for some evidence.
>
>
>

> I propose that we remove this option, and make the existing "Always use private browsing mode" option more visible. The preference(s) that control the removed feature would become synonyms for the "Always use private browsing mode" preference(s). I believe this will meet users privacy needs in a more effectively, it would avoid all three of the above problems, and it would be less to maintain.
>
>
>

> I propose that we do this in Firefox 11.
>
>
>
> - Brian
>
>
>
> [1] http://forums.mozillazine.org/viewtopic.php?f=8&t=2203523

This option is very useful and hope to be continued in further versions also..

[anjanicomp...@gmail.com]

[Andrew Joakimsen]

Just because one user in a forum can not be bothered to read the documentation is not a valid reason to change the functionality.

In case of a crash the cache and etc can be cleared on relaunch.

So, yes, I object to this change.

Sent from my iPhone

[joakimsen]

Goodness I didn’t notice. Someone else replied on this today… and I was
wondering why I didn’t see the original message.

From: Alexander Skwar [mailto:a...@skwar.me]
Sent: Thursday, February 07, 2013 4:21 PM
To: Andrew Joakimsen
Cc: anjanicomp...@gmail.com; dev-apps...@lists.mozilla.org
Subject: Re: Removing the "Clear history when Firefox closes" option

"Clear on launch"? I thought this option was called "clear on close"...
Would be rather surprising to find, that the option would NOT clear stuff
while Firefox ends.
I agree with that change.
BUT: isn't that long gone? Brian talks about Firefox 11 and that e-mail is
from 2011,  about 13 months ago.
Alexander.
--
Gesendet von Unterwegs vom Nexus 7 Tablet. Falls es interessiert… ;-)

Am 07.02.2013 20:35 schrieb "Andrew Joakimsen" <joak...@gmail.com>:
Just because one user in a forum can not be bothered to read the
documentation is not a valid reason to change the functionality.

In case of a crash the cache and etc can be cleared on relaunch.

So, yes, I object to this change.

Sent from my iPhone

On Feb 7, 2013, at 5:42 AM, anjanicomp...@gmail.com wrote:

[Justin Dolske]

On 2/7/13 11:34 AM, Andrew Joakimsen wrote:

>>> I propose that we do this in Firefox 11.

>> This option is very useful and hope to be continued in further versions also..

> Just because one user in a forum can not be bothered to read the documentation is not a valid reason to change the functionality.
>
> In case of a crash the cache and etc can be cleared on relaunch.
>
> So, yes, I object to this change.

The thread you are both replying to is over a year old, it was a
proposal for a change in Firefox 11. It wasn't done, and isn't actively
under consideration at the moment.

Justin

[Alexander Skwar]

Hello

"Clear on launch"? I thought this option was called "clear on close"...
Would be rather surprising to find, that the option would NOT clear stuff
while Firefox ends.

I agree with that change.

BUT: isn't that long gone? Brian talks about Firefox 11 and that e-mail is
from 2011, about 13 months ago.

Alexander.

--

Gesendet von Unterwegs vom Nexus 7 Tablet. Falls es interessiert… ;-)
Am 07.02.2013 20:35 schrieb "Andrew Joakimsen" <joak...@gmail.com>:

> Just because one user in a forum can not be bothered to read the
> documentation is not a valid reason to change the functionality.
>
> In case of a crash the cache and etc can be cleared on relaunch.
>
> So, yes, I object to this change.
>

> Sent from my iPhone
>
> On Feb 7, 2013, at 5:42 AM, anjanicomp...@gmail.com wrote:
>