Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Scratchpad and Private Browsing Mode

12 views
Skip to first unread message

Kevin Dangoor

unread,
Jun 10, 2011, 9:32:16 AM6/10/11
to dev-apps-firefox
During the devtools testday, an interesting question came up: how should the
Scratchpad tool behave with respect to private browsing?

Scratchpad is basically a notepad that lets you evaluate JavaScript code in
the context of the frontmost tab. It is not tied to that tab... when you ask
it to run some code, it runs it in the frontmost tab at that time...

Vlad from QA summed it up nicely in IRC: "i would like the data to remain
from a developer's point of view, but it kind of contradicts with PB
behavior and expectations"

Since this is a developer tool, do we stick with the intuition that a
developer wants their Scratchpads to stick around regardless of what they're
browsing, or does the behavior of private browsing mode toward content
windows take precedence?

Kevin

--
Kevin Dangoor

work: http://mozilla.com/
email: kdan...@mozilla.com <k...@blazingthings.com>
blog: http://www.BlueSkyOnMars.com

Dave Townsend

unread,
Jun 10, 2011, 9:51:28 AM6/10/11
to dev-apps-firefox
What data exactly are we talking about here? Just the JS written in the
scratchpad window? I see no reason to throw that away when switching out of
PB. Or is there some JS scope leakage from sites you were viewing in PB
possible here?

Kevin Dangoor

unread,
Jun 10, 2011, 9:59:01 AM6/10/11
to Dave Townsend, dev-apps-firefox
On Fri, Jun 10, 2011 at 9:51 AM, Dave Townsend <dtow...@mozilla.com>wrote:

> What data exactly are we talking about here? Just the JS written in the
> scratchpad window? I see no reason to throw that away when switching out of
> PB. Or is there some JS scope leakage from sites you were viewing in PB
> possible here?
>

Since Scratchpad runs against the frontmost tab, there shouldn't be leakage
of scope... so, yes, we're just talking about the JS.

It's *possible* that the JS you have in your Scratchpad could be related to
the site. For example, let's say you were running some test ajax requests:

$.get("/someurl/?secretcode=PASSWORD", function(data) {...});

Ehsan Akhgari

unread,
Jun 10, 2011, 11:39:46 AM6/10/11
to Kevin Dangoor, dev-apps-firefox, Dave Townsend
On 11-06-10 9:59 AM, Kevin Dangoor wrote:
> On Fri, Jun 10, 2011 at 9:51 AM, Dave Townsend<dtow...@mozilla.com>wrote:
>
>> What data exactly are we talking about here? Just the JS written in the
>> scratchpad window? I see no reason to throw that away when switching out of
>> PB. Or is there some JS scope leakage from sites you were viewing in PB
>> possible here?
>>
>
> Since Scratchpad runs against the frontmost tab, there shouldn't be leakage
> of scope... so, yes, we're just talking about the JS.

Private Browsing aims to protect against persistent storage of data
which reveals your browsing history. I don't see any risk with regards
to that with Scratchpad, so I don't think we need any special handling.

If the Scratchpad were tied to a tab (like the View Source window), I'd
argue that we need to close it when leaving the private browsing mode
(as we do for View Source windows).

> It's *possible* that the JS you have in your Scratchpad could be related to
> the site. For example, let's say you were running some test ajax requests:
>
> $.get("/someurl/?secretcode=PASSWORD", function(data) {...});

For sure. But this is not something that we need to worry about, the
same way that we don't worry about what happens if a user copies and
pastes some similarly sensitive information into a text editor while in
Private Browsing mode.

Cheers,
Ehsan

0 new messages