[webkit-gtk] Private browsing

Fri Jan 20 01:24:19 PST 2017

Hi, 

the last days I've been looking at the private browsing support in
WebKit, to fix several cases where things were not working. We have
always supported private browsing via WebKitSettings:enable-private-
browsing, but I guess nobody is actually using it because it has always
been kind of broken. 

In epiphany we have never used it, and instead we simply create a
WebKitWebsiteDataManager configured to store the data in a temporary
directory that is deleted when the private instance exits. This
approach is better than nothing, but it's not good enough, for several
reasons:

 - We are unnecessarily writing things to disk.
 - If UI process crashes, data will still be in the temp directory.
 - WebKitWebsiteDataManager doesn't cover all situations in which
websites can write to disk, for example plugins that need to be
configured in private mode explicitly, or the favicon database.
 - Any other behavior in WebCore that depends on ephemeral session is
not honored.

In the past WebKit used the enablePrivateBrowsing setting that was
checked everywhere when needed. Now, pages have a session ID
associated. There's a default session ID, and any other ID is
considered ephemeral. So, to enable private browsing we just need to
associate the page to any session ID different than the default one.
The main different is that now in WebKit2 at least, the association
happens on WebPageProxy construction, so it's not possible to
enable/disable private browsing in a WebKitWebView, you must create a
private or non-private web view. With the WebKit2 C API, this is
achieved by creating a non persistent WebsiteDataStore and pass it to
the WebPageProxy as PageConfiguration.

So, I think we should fix the private browsing mode in WebKitGTK+,
deprecate the private browsing setting and add new API to properly
handle private browsing sessions.

In our current API, the WebKitWebsiteDataManager is associated to the
WebKitWebContext, and not to the WebKitWebView, all pages for the same
context use the same website data store. So, it would be confusing to
add a WebKitWebView constructor taking a WebKitWebsiteDataManager. The
page only uses the website data store to get the session ID, and the
context to configure the website data paths. So, I think we can hide
the detail that private browsing depends on a non persistent website
data store. I wouldn't like to expose session IDs either. So, I think
we could add a construct only property, and when enabled create a non
persistent website data store internally to be used instead of the one
from the web context. It could be WebKitWebView:is-private for example
or is-ephemeral maybe.

With this approach every WebKitWebView created with private browsing
enabled will have its own session ID. This makes sense if you want to
have a normal web context with private and non-private web views.
However, in the case of epiphany, for example, the whole browser
instance is private, so it would be more convenient if we could also
set the whole context as private. In that case we create a non
persistent data store that will be used by all web views. You could
still create a private web view explicitly that will use a different
session ID (not sure it's useful, but still). For this we could add
also a construct only property to WebKitWebContext and a new
constructor webkit_web_context_new_private() or new_ephemeral().

What do you think?

-- 
Carlos Garcia Campos
http://pgp.rediris.es:11371/pks/lookup?op=get&search=0xF3D322D0EC4582C3
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 224 bytes
Desc: This is a digitally signed message part
URL: <https://lists.webkit.org/pipermail/webkit-gtk/attachments/20170120/abe572a2/attachment.sig>