Firefox 3.5 Armed with Privacy Controls

Mozilla has responded to enhanced privacy settings in rival browsers from Microsoft, Apple and Google with new privacy features of its own.

In Firefox 3.5, released yesterday, Mozilla has added its own version of private browsing to match a feature offered by Google Chrome, Internet Explorer 8 and Safari. But Mozilla took the additional step of adding a Clear Recent History tool and a Forget This Site feature to bring more layers of privacy to its users.

When private browsing is enabled, nothing a user encounters on the web will be stored from that moment on during the browsing session. The problem with private browsing modes, however, is that they require users to know ahead of time that they want to be private, said Johnathan Nightingale, Mozilla’s security expert known as its “human shield”.

“Sometimes the history you want to get rid of is browsing you’ve already done,” Nightingale said. “That’s why we’ve also included the Clear Recent History tool … You can ask us to clear the last hour, the last day or even clear everything, and when you do, we will clear it everywhere. Our power users could always do this, deleting their cookies and their history and their downloads manually, but this tool gives you a single click to clear it all.

“Likewise, when the browsing you want to get rid of is a particular site instead of a particular time frame, we have added a tool called ‘Forget About This Site’ that allows you to right-click on any entry in your history, and tell Firefox to forget everything it knows about that site, as though you’d never visited it,” he added.

In addition to the privacy controls, Mozilla fixed a few bugs and added HTTP Access Control to enable site authors to control who accesses content they put online.

“As people start putting new content online like open video and downloadable fonts (both supported in Firefox 3.5), this will let them control how those are used by third parties,” Nightingale said.

Looking ahead, Mozilla has started working on a feature called Content Security Policy (CSP) to fight cross-site scripting. In order to differentiate legitimate content from injected or modified content, CSP requires that all JavaScript for a page be loaded from an external file and served from an explicitly approved host.

“This means that all inline script, JavaScript: URIs and event-handling HTML attributes will be ignored,” Brandon Sterne, security programme manager at Mozilla, blogged June 19. “Only script included via a

CSP was slated for a future Firefox release, Nightingale said.