Persistent mode

Persistance Mode Exceptions

Notes from Bella and Rui's conversation

User Story "As a user browsing daily, I want to remain logged in on specific web pages so that I don't have to log in every time I open the browser"

Rui's vision for what this feature is:

Hypothesis: too much friction (every time, 2FA, etc.) in this aspect makes it more difficult for users to adopt the browser as their primary one

User feedback about this feature: gathered by Rui during his conversation with users on MB GitHub issues (see this posts and comments under: https://github.com/mullvad/mullvad-browser/issues/29#issuecomment-1640043659), forums (example: https://discuss.privacyguides.net/t/mullvad-web-browser-can-its-advanced-privacy-features-cause-harm-for-the-user/16657/5 or https://www.reddit.com/r/browsers/comments/1c4mcd8/why_mullvad_is_not_taken_in_consideration_while/), chats and in person (and personal experience, aka why Rui doesn't use Mullvad Browser as his main browser while dedicating his time to it).

User experience: "simple, just want to stay logged in for some specific websites, if I include a certain website (not domain), it’s added to a list and keeps the user logged in."

There should be a very visible indicator that the excluded website is not getting reset like the rest at session end.

Crucially, by default, ending a session should clean any state as if in PBM mode (remove any possibility of any fingerprintable state)

User Flow:

There is a button/toggle the user can click to persist the login state for a site across sessions
There is a view of the exceptions list
Similar to duck duck go browser desktop, where you can exclude a website from being flushed when the user clicks the "burn everything" button (see: https://packted.com/fireproof-site-duckduckgo/)
Similar to Forgetful Browsing by default with site exceptions in Brave: https://brave.com/privacy-updates/25-forgetful-browsing/#set-forgetful-browsing-as-a-global-default

"(...) users can indicate that they want to be forgotten when a site is closed. When this option is set, Brave will clear first-party storage for the site a few seconds after there are no more open tabs for the site. Forgetful Browsing clears both explicitly stored values (e.g. cookies, localStorage, or indexedDB) and indirectly stored values (e.g. HTTP cache or DNS cache)."

User Profiles (possibly as a second step or in parallel)

Profile 1: Private browsing mode (catering to activists, journalists, etc. aka the Tor Browser threat model in the public consciousness). This is a different experience, can't be just another tab, as switching between profiles on different tabs can lead to easy mistakes.
Profile 2: Relaxed mode (aligned with fighting against mass surveillance threat model) is for specific exception websites that a user can be kept logged in and disk avoidance optionally relaxed (history, ...)
Nice to have (long term required?): Keep the same browser fingerprint as the private browser mode. (Keep both profile users in the same crowd).
Start with those two existing threat models, which don't need further user research, because profile 1 is what we currently have with TB (nothing to do here) and profile 2 is already well defined.

FURTHER NOTES

1 - When you observe people talking about how they uses MB/TB or other privacy browsers, they naturally tend to have a browser for each threat model. The idea is to allow users to create separate profiles for different threat models (some users are already doing this even when switching profiles is a pain in Firefox).

2 - There are additional benefits/details for adopting profiles as outlined:

optionally allow writing to disk (history, etc.).
making sure there's a clean break between the traditional PBM mode and the logged-in exceptions without any need of migrating users
lock down settings as much as possible in PBM mode and direct users to the other profile if they want to mess with settings
kill the franken-browser, aka TB/MB with PBM disabled, which should be unsupported and creates issues; valuable time is spent to half-support something that can never be supported for good reasons: users ends up in a bad setup that will potentially help shoot themselves in the foot (or in the head in the worst case scenario)

3 - The next steps would:

to have the welcome page as a check on the current threat model profile, with info on how to fix things if necessary.
potentially more specific threat models/profiles, based on user research and needs

This is only noted here to give context of the logical progression and the long term vision: a privacy-focused browser helping you stay as safe as possible based on your threat model.

Edited Apr 09, 2025 by morgan

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information