[[!toc levels=2]]
Related pages
=============
* [[!tails_ticket 5525]]
* [[blueprint/Mandatory_Access_Control]]
* [[contribute/design/application_isolation]]
* `feature/5525-sandbox-web-browser` branch
* [nightly built images](http://nightly.tails.boum.org/build_Tails_ISO_feature-5525-sandbox-web-browser/)
Status
======
## automated test passes
* feature/i2p (unconfined)
* feature/torified_browsing
* feature/unsafe_browser (unconfined)
* feature/windows_camouflage
* open `https://` URL from Pidgin
* relevant bits of feature/usb_install
- view persistent bookmarks, in read-only persistence mode ([[!tails_ticket 8787]])
- persistent bookmarks, RW
* "Tails documentation" link on the Desktop ([[!tails_ticket 8788]])
* default download directory is `~/Tor Browser`
* HTML5 audio playback
* WebM video and audio playback
* download to amnesiac `~/Tor Browser`
* read from amnesiac `~/Tor Browser`
* default upload directory is `~/Tor Browser/`
* `~/Tor Browser/` must always exist
* there must always be a GTK bookmark to `~/Tor Browser/`
* import OpenPGP key from website
* printing to file
* download to persistent `~/Persistent/Tor Browser`, in
read-write persistence mode
* read from persistent `~/Persistent/Tor Browser`, in read-write
persistence mode
* when `~/Persistent/` is persistent read-write, then
`~/Persistent/Tor Browser` must exist and there must be
a GNOME bookmark pointing to it
## manual test OK
(needs to be tested again with current status of the branch at some point)
* add NoScript exception
* change stuff in about:prefs
* manually update AdBlock Plus lists
* add a bookmark, with persistent bookmarks feature enabled, in
read-only persistence mode
* install a Firefox add-on (this does not mean we actively support that, right? :)
* read from persistent `~/Persistent/Tor Browser`, in read-only
persistence mode
## manual test OK, maybe needs automated test
## known issues
## needs testing
* printing to real printer
User experience matters
=======================
Until the `feature/5525-sandbox-web-browser` branch is merged, see the
"User experience matters" section on
.
Later, see [[contribute/design/application_isolation#ux]].
Remaining questions:
1. What to do about alternative browsers (I2P and Unsafe Browser)?
We have [[!tails_ticket 8280 desc="a ticket"]] about allowing the
I2P Browser to access local files. Shall we use e.g. `~/Tor Browser
files/`, `~/I2P Browser files/` and `~/Unsafe Brower files/` (the
latter may make sense now that we plan to move the LAN browsing
support into the Unsafe Browser) — and equivalently,
`~/Persistent/Tor Browser/`, etc.? or rather a single
shared namespace, with e.g. `~/Browser files/Tor Browser`,
`~/Browser files/I2P Browser`, etc.?
In any case, of course we should _not_ allow a given browser to
access files in other browsers' own download directory (this would
be too much of a linkability and de-anonymization risk)
2. The "New Identity" problem. The Tor Browser tries hard to prevent
data to persist once its "New Identity" button has been clicked, to
prevent activities performed before and after this action to be
linked with each other. As boyska (a Freepto developer) made me
realize while we were discussing these problems, by introducing
a persistent downloads directory, we somewhat break this design
goal. Of course, we've never even tried protecting against this
specific attack, so maybe we can just ignore it for now. And the
Tor Browser doesn't try either -- once they add sandboxing
profiles, I bet they'll need to think about that too, so one way to
do it would be to start a discussion with them about this problem,
and consider it as a non-blocker for now. One idea we had with
boyska was to add a confirmation dialog when one clicks the "New
Identity" button in the Tor Browser, that makes it clear what's
going to be lost (e.g. tabs and clipboard, which surprises a lot of
users in my experience, see [[!tails_ticket 7709]]), warns them
that their previous downloads will be deleted, or rather moved to
a directory where that the Tor Browser hasn't access to.
Another idea is to block the "New Identity" until the user has
themselves emptied the browser files directory, e.g.:
When I click on "New Identity" while there are files in one
of the downloads directories
Then I'm told "Tor Browser will be reset to a New Identity
once you have emptied folders $x and $y"
And then, once I have emptied the download directories
Then Tor Browser is reset to a New Identity
Food for thought.