|
|
|
**WIP**
|
|
|
|
# Requirements
|
|
|
|
|
|
|
|
- Proxy Obedience: The browser MUST NOT bypass Tor proxy settings for any content.
|
|
|
|
- State Separation: The browser MUST NOT provide the content window with any state from any other browsers or any non-Tor browsing modes. This includes shared state from independent plugins, and shared state from operating system implementations of TLS and other support libraries.
|
|
|
|
- Disk Avoidance: The browser MUST NOT write any information that is derived from or that reveals browsing activity to the disk, or store it in memory beyond the duration of one browsing session, unless the user has explicitly opted to store their browsing history information to disk.
|
|
|
|
- Application Data Isolation: The components involved in providing private browsing MUST be self-contained, or MUST provide a mechanism for rapid, complete removal of all evidence of the use of the mode.
|
|
|
|
- Cross-Origin Identifier Unlinkability: User activity on one URL bar origin MUST NOT be linkable to their activity in any other URL bar origin by any third party automatically or without user interaction or approval.
|
|
|
|
- Cross-Origin Fingerprinting Unlinkability: User activity on one URL bar origin MUST NOT be linkable to their activity in any other URL bar origin by any third party.
|
|
|
|
- Long-Term Unlinkability via "New Identity" button: The browser MUST provide an obvious, easy way for the user to remove all of its authentication tokens and browser state and obtain a fresh identity.
|
|
|
|
|
|
|
|
|
|
|
|
- Proxy Obedience
|
|
|
|
- State Separation
|
|
|
|
- Disk Avoidance
|
|
|
|
- Application Data Isolation
|
|
|
|
- Cross-Origin Identifier Unlinkability
|
|
|
|
- Cross-Origin Fingerprinting Unlinkability
|
|
|
|
- Long-Term Unlinkability via "New Identity" button
|
|
|
|
- Other Security Measures
|
|
|
|
- Usabililty features
|
|
|
|
- Onion Location
|
| ... | ... | |
