Giving this to the privacy folks for triage

I thought that we don't take screenshots on HTTPS sites.

We do take screenshots on https sites. (Possibly that's a bug? But if so, it's been around since forever.)

The thumbnails seem to be up to 424x284 pixels in size, which makes it hard to actually read any text, but of course it's still possible to extract some information.

TBH, I'm not convinced how much of a privacy issue this is. If you use a public or shared computer, some of your information will be persisted, and visible to others (e.g. history). If you don't want that, either clear all browsing data after you're done, or use incognito/guest mode in the first place.
Dominic, is that a reasonable assessment? Do we give any privacy guarantees on shared computers?

I am not sure whether I have found the right source code but https://cs.chromium.org/chromium/src/chrome/browser/thumbnails/thumbnail_service_impl.cc takes screenshots of 212x142 pixels. However, device independent pixels. With new displays, I can imagine that this has changed and I would suggest that we take 212x142 real pixels and upsample them to a higher resolution if necessary.

I disagree with your assessment about shared computers. I think it is fair to assume that you share a computer with somebody in your household but assume that you email conversations are private if you logout of your email account. Sure, that other person could install a keylogger, but that's a very different league of attack.

Matthieu I think this was introduced here https://codereview.chromium.org/1028393003.

+msramek as I will be OOO for two weeks.

Taking screenshots of 212 real pixels on a 3x HiDPI display will look very bad (blurry), which is why I made the change to copy at a higher quality. I don't consider this a bug necessarily, but I could be convinced otherwise. I'm going to assign to treib@, the NTP owner, who can decide what to do.

 Issue 27060  has been merged into this issue.

This is essentially a trade-off between UX and Privacy: Reducing the resolution of the thumbnails will lessen the privacy issue, though IMO it's not really a solution. Even a low-res screenshot might contain some private information.
OTOH, the low-res screenshots will look really horrible on 2x/3x screens (which I guess in practice mostly means Macbooks and some Chromebooks).

Rachel, any opinion on this?

I guess the long-term solution could be to move away from thumbnails entirely and instead show site icons, like we do on mobile. That was partially implemented in the past, but abandoned because of poor coverage: Even sites that have a large icon typically only serve it on mobile, because desktop browser traditionally haven't done anything with it.

We should dig out a dupe in our archive. This has been discussed and WontFixed a long while ago.

Re #13, the only previous discussion I can find on this is on  bug 27060 , which happened before HiDPI support was around.  Bug 84303  is also somewhat related, but doesn't have much info.
Do you remember anything apart from those?

 Issue 691578  has been merged into this issue.

@treib, have you seen the screenshot posted in  issue 691578  comment #1? The very first one is actually very detailed :-/

Martin, do you think if sites were to use the Clear-Site-Data header, we could clear thumbnails etc. based on that?

Issue 707049 has been merged into this issue.

Can we remove the RVG?

Reactivating this after a long time, with two findings:

1) The 212x142 size has only historic reasons. The display size of thumbnails
   on the NTP is actually 154x96 (see also  bug 734981 ).
2) On 1x devices, we actually take screenshots of twice that size, i.e. as if
   they were 2x, "to improve quality".

I suggest we do the following:
a) Reduce the dp size to 154x96.
b) Clamp the scale factor to 2x.
That means the maximum size in real pixels will be 308x192. Is that acceptable?
The screenshots will look a bit blurry on >2x devices, but on desktop those
should be almost nonexistent anyway.

Blurry on x2 seems sad. How common are these devices?

My proposal was that devices with *strictly more than* 2x would be blurry - 2x would still be fine.
I don't have numbers, but I think 2.5x or 3x are basically unheard of on desktop.

This doesn't seem too unreasonable to me, though obviously not ideal. 

Would there be a way to get those numbers? 

Turns out we have UMA on this, but only on Windows:
https://uma.googleplex.com/p/chrome/histograms/?endDate=20170621&dayCount=7&histograms=UI.DeviceScale&fixupData=true&showMax=true&filters=channel%2Ceq%2C4%2Cplatform%2Ceq%2CW%2Cisofficial%2Ceq%2CTrue&implicitFilters=isofficial

tl;dr: On Windows, 99.76% are <= 2x  (measured during Chrome startup)

This feels like a good candidate for our new UX sync. Do we have a timeline for this work (for our prioritization)?

My proposal (limit the scale factor to a max of 2x) will be a 2-line change, I can do that as soon as there's agreement between UX and privacy.

Sure, I can come to a UX sync next week if you feel there's something to discuss.

I'd just like to go through it all in one go. :) Would you be able to bring screenshots?

+finkm to add this to the agenda
Marc - We're updating the process to match the feature sync. Michael will give you a 10 minute slot so you don't need to join the whole 30 mins. :)

We went over this in the UX sync. 0.3% of users (windows only uma) have >2x screens and would be affected. This seem like a reasonable compromise to me.

Assigning to battre for visibility: Please read comment 23 and advise if that's acceptable from a privacy perspective. tl;dr thumbnails will be up to 308x192 real pixels.

I think that 308x192 sounds like a reasonable compromise to me. Thanks!

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/b68471b6768d4ad226aebe46bf443d28e86103bb

commit b68471b6768d4ad226aebe46bf443d28e86103bb
Author: Marc Treib <treib@chromium.org>
Date: Mon Jul 10 11:49:34 2017

Thumbnails: Limit to 2x scale

At higher scale factors, the thumbnails can otherwise get large enough
to make text readable. Limiting their size mitigates this.

Bug:  670488 
Change-Id: I25d74774455453ee39228d82f5f74639a799b54e
Reviewed-on: https://chromium-review.googlesource.com/564617
Commit-Queue: Friedrich Horschig <fhorschig@chromium.org>
Commit-Queue: Marc Treib <treib@chromium.org>
Reviewed-by: Friedrich Horschig <fhorschig@chromium.org>
Cr-Commit-Position: refs/heads/master@{#485237}
[modify] https://crrev.com/b68471b6768d4ad226aebe46bf443d28e86103bb/chrome/browser/thumbnails/thumbnail_utils.cc
[modify] https://crrev.com/b68471b6768d4ad226aebe46bf443d28e86103bb/chrome/browser/thumbnails/thumbnail_utils_unittest.cc

 Issue 716724  has been merged into this issue.

Hey guys , 

Quick question...  

I would be rewarded somehow on this bug ?

Thanks ,

Sagiv.

Sorry, the bug reward program is currently only aimed at security issues, not privacy issues.

This bug does not allow a remote attacker to exploit Chrome, it only reveals information to a user using the same device / same instance of Chrome. It's therefore not a security bug.

 Issue 809581  has been merged into this issue.

Hi,

I am slightly concerned about this. I had been able to get it to capture
behind login on a financial services page and with little effort make the
information clearly legible.

What effort did you undertake to make the information visible?

From a security POV, it's important to keep in mind that someone with physical access to your computer can perform all manner of attacks. That's why enabling a password for your operating system and locking your computer when it is not under your direct control is important: https://chromium.googlesource.com/chromium/src/+/master/docs/security/faq.md#Why-arent-physically_local-attacks-in-Chromes-threat-model

Englarged/enhanced the image.

In our shared office space, people often 'hot-desk' allowing others to use
their PC's. Is there reason why the snapshot is captured inside not outside
of login? i.e. I wouldn't knowingly permit third party software to take any
kind of snapshot when I'm accessing my bank account.

Re #45: How specifically did you "enlarge/enhance" the image? Thumbnails contain a small number of pixels, so enlarging simply makes the blocky image bigger.

> Is there reason why the snapshot is captured inside not outside
of login? 

I believe screenshots are taken at the time of page unloading.

You can prevent a given site's thumbnail from appearing on the new tab page by hovering over the top-right of the image and clicking the X icon with the tooltip "Do not show on this page". Similarly, you can use the browser's Incognito Mode or Guest profile to prevent recording of history.

>In our shared office space, people often 'hot-desk' allowing others to use
their PC's.

This is fundamentally non-secure, as explained in the link in #44. This remains non-secure, even if you use Guest/Incognito mode.

Hi Team,

My feeling is that capturing behind login information that's then presented to user is fundamentally non-secure, despite attempt to obscure in low resolution capture. 

There is basic image enhancement available to public domain (through websites/photoshop) and specific tooling for industry. 

Acknowledged - There is opportunity to opt out of this and close using X icon.

Principally, my position on this hasn't shifted. I don't think there is need to present information behind login in anyway/at any time, because it presents possible risk and there is no cause to do so.

I will advise internally to clear this bookmarking.

Thanks for looking into the issue.


Regards,

C.Dennington

Also, if you use Incognito Mode, be sure to exit all Incognito windows once you're done, so session cookies get deleted.

However, it does appear by own admission this is likely a bug. (Read: above thread answer 3 and 4). There is no reason to capture https.

Deleted: IMG_0050.PNG 145 KB

	IMG_0050.PNG 145 KB View Download

RE #50: No, it's absolutely not a bug. The vast majority of pages are HTTPS today, and the Chrome team is working hard to get to 100% deployment of HTTPS.

I point again to comment #44, which explains why "privacy from local attackers" isn't an attainable goal.

Given that a increasingly large percent of the web is served over HTTPS (and we would like that percent to go to 100%) I believe it would be untenable to not capture thumbnails for HTTPS sites. HTTPS does not inherently mean that the contents will be particularly privacy-sensitive.

It seems this had been deemed a bug and has indeed undergone a fix (Comment 37 + 38). 

I understand the importance of locking down your PC, but not the need to capture behind login information that potentially contains sensitive information.

Also understood, that most the web is moving to https.. why not just show the homepage/link, rather than a snapshot of the account logged into the site??

Issue 813767 has been merged into this issue.