2011-09-28

Safari woes: which bit of "Reset" didn't you understand?

As someone who works in software development, from time to time I have to use a clean browser to explore a technical problem. It's a pain to use my everyday browser for this because it means wiping all the identities on all my favourite websites so, like most developers, I keep one of my browsers for just this type of purpose.

In my case, the browser I choose to test with is Safari, partly because it has a neat "Reset Safari..." menu item that makes it easy to go back to a clean browser state at the start of the test.

Today, my world is upside down. The confidence I had in my ability to control access to my private information is shaken.

It started with iGoogle. Safari opened on my iGoogle home page as usual, I selected "Reset Safari..." with all the settings and was left staring at a plain iGoogle window inviting me to sign in. So far so good.

My next action was to open a new tab: my iGoogle page appeared again. Interestingly the Gmail, bookmarks, Google Reader gadgets and so on were all logged out but that new black strip at the top of the screen clearly said "Steve Lay" and clicking on Google plus revealed my latest posting including my private automatic check-ins. Somehow my identity had come back from the dead.

Perhaps this is a memory bug in Safari I thought, I saw some advice on the internet suggesting I should quit Safari just after reseting. This time my name was missing from the black strip on iGoogle, but clicking "+You" took me back to my Google+ home page again. My identity was back.

I had strange visions of the old Roger Moore movie, The Man Who Haunted Himself. Perhaps this is my other identity, may be this Steve Lay has checked into different places, posted different things?

The answer seems to be more mundane, though I'm a bit hazy on the technical details. It seems that the other identity that keeps breaking through into Safari is probably the Steve Lay that is logged in to Google with Chrome. You see, both Safari and Chrome use the WebKit framework to handle basic web protocols. In turn, Apple's implementation directs all WebKit based HTTP traffic through a low-level part of the system that handles Cookies for you. The upshot is, if I'm understanding the documentation correctly, that Cookies are shared between all WebKit applications.

That means that "Reset Safari..." probably doesn't do what you want. But, when you think about, it isn't just the reset function that is acting strangely here. I'm used to the idea that a Browser can't get a cookie until I've been to the originating website, and it can't identify me until I've logged in to the originating website. But none of this is true. Safari can find cookies and identities provided you have a logged in with any WebKit browser, which is quite different.

It is common these days for social networking sites to store badges on almost every web page which enable the network's owners to marry up your identity with that of the page you visited and hence get a better picture of your browsing habits. One way to reduce the amount of personal information you leak this way is to ensure you've logged out of services like Google and Facebook before you go reading up on that embarrassing medical condition or searching online for a divorce lawyer. When (or if) identities are going to routinely leak between browsers it is going to be much harder to prevent this type of information getting in to the wrong hands.