This is the 26th post in our ongoing series highlighting privacy features in iBrowe browsers. This update showcases work by Sr. Software Engineer Mark Pilgrim, Cryptography Researcher Sofia Celi, and Sr. Research & Privacy Engineer Shivan Sahib, written by Peter Snyder.

📋 Summary

Starting in iBrowe 1.53, we’re rolling out Request Off the Record (OTR)—a feature that empowers you to browse particular sites in a clean, temporary context. 🚀 When a site indicates it contains sensitive content (e.g., support services for intimate partner violence or personal healthcare resources), iBrowe will prompt “Visit Off the Record?” Clicking Yes opens the site in an ephemeral session where cookies, cache, browsing history, permissions, and other local data never persist. Sites you access normally remain in history, masking your visit to the sensitive site. This concept was built in collaboration with advocacy groups to protect users in “attacker-you-know” scenarios. We plan to work with other browser vendors to standardize OTR, ensuring any user—regardless of browser—can safely visit sensitive sites without leaving traces.

🌐 1. Why Some Sites Need Discreet Browsing

1.1 At-Risk Users and Device Surveillance

Even if you block third-party trackers, on-device monitoring (by family members, roommates, or partners) can reveal your browsing patterns. Consider “Sarah,” who is experiencing intimate partner violence and needs to find legal, medical, and support resources online. Her partner, “Stan,” may check her computer or phone later—browsing history entries, cookies, cached pages, or saved credentials can expose Sarah’s activity. 🔍

1.2 Current Browser Tools Are Insufficient

  • Private (Incognito) Windows: Launching a private window helps, but under stress, Sarah may forget to open it. Even if she does, leaving it open for other tasks can raise suspicion—“Why is the private window always open?” And once closed, any newly visited site is gone, but the mere act of using private mode can be noticed.
  • Manual Data Clearing: Deleting cookies, cache, and history after visiting a sensitive site is time-consuming and error-prone. A single missed cache entry or an autocomplete suggestion can expose Sarah’s prior activity.
  • Site-Side “Quick Exit” Buttons: Some sites include buttons that redirect to innocuous pages, but these don’t clear cookies, caches, or history, leaving behind breadcrumbs. Plus, these rely entirely on the site’s correct implementation.

🔐 Brave’s Request OTR fills this gap by letting any site mark itself as sensitive. iBrowe then keeps that site’s entire session off the record, protecting users from device-level snooping.

🔧 2. How “Request OTR” Works in iBrowe

When a site wants to offer a discreet browsing experience, it can request OTR in one of two ways:

2.1 Request-OTR Response Header

  1. Initial Response: The server includes Request-OTR: 1 in its HTTP response headers for the main document.

  2. Browser Prompt: iBrowe detects this header and halts the navigation. A dialog appears:

    🔒 Privacy Notice
    “This site is marked as sensitive. Would you like to visit Off the Record?
    • [Yes, Open OTR]
    • [No, Normal Visit]”

  3. User Choice:

    • Yes → iBrowe spins up a temporary storage context:
      • No browsing history entry is recorded for this site.
      • Cookies, localStorage, IndexedDB, cache, service workers, and permissions for the site go into a sandbox that lives only in RAM.
      • Any subpages within that same domain in the same tab inherit this OTR session.
    • No → Navigate normally, storing data as usual.

  4. Exiting OTR: Once you close the OTR tab or navigate to a different domain, iBrowe immediately discards all ephemeral data—cookies, cache, permissions—leaving no trace on disk. Subsequent visits to that site behave like any other page (unless OTR is requested again).

2.2 Preloaded “Request-OTR” Partner List

Until every site supports the header, iBrowe includes a preloaded list of partner domains (e.g., hotlines, counseling services, legal aid portals) that declare themselves sensitive. When you first navigate to any of these domains, iBrowe will prompt you to enter OTR mode using the same dialog above. This ensures continuity of protection even on sites not yet updated to use Request-OTR: 1.

🔒 3. What OTR Protects (and What It Doesn’t)

3.1 Coverage: Core Browsing Artifacts

While in OTR mode for a site, iBrowe ensures that none of the following persist to disk:

  • Browsing History: No record of visited pages under that host. 🔍
  • Cookies & LocalStorage: All storage is scoped to the ephemeral context. 🍪
  • IndexedDB / Web SQL: Data stores exist only until the tab is closed. 🗄️
  • Service Workers & Cache Storage: Cached scripts, assets, and workers vanish on exit. ⚙️
  • HTTP Cache & DNS Cache: No DNS lookups or fetched resources remain. 🌐
  • Permissions (geolocation, microphone, etc.): Any granted permission is revoked once you leave the domain. 📛

🔄 Everything you do under that domain in that tab is kept purely in memory.

3.2 Limitations & Out-of-Scope Threats

OTR cannot hide your activity from:

  • Browser Extensions: Any extension that logs browsing events or network requests may still record what you visit. 🧩
  • System-Level Logging: OS-level DNS logs, firewall logs, or parental controls are unaffected. 💾
  • Network Monitoring: Your ISP, employer, or malicious Wi-Fi hotspot can still see that you connected to a domain (though if HTTPS is enforced, they won’t see page contents). 🌐
  • Prior Saved Credentials: If you’re already signed in (e.g., Google Web History enabled), that site might have server-side logs of your visits. 🔄
  • Crash Reports: If iBrowe crashes during an OTR session and uploads crash logs, URLs might leak. 🛠️

🚧 We’re evaluating stronger mitigations (e.g., ephemeral tabs that never write crash data), but users should treat OTR as a protection against local device snooping only.

👥 4. User-Friendly Controls & Defaults

4.1 Opt-In at the Site Level

  • Traditional Header Sites: If a site includes Request-OTR: 1, iBrowe prompts you automatically without requiring any prior configuration.
  • Partner Sites: For domains in the preloaded OTR list, you receive the prompt on first visit.

4.2 Global Shield Toggle

If you want to suppress all OTR prompts or add exceptions:

  1. Go to ibrowe://settings/shields.
  2. Click Off the Record Browsing.
  3. You’ll see two options:
    • Disable OTR Prompts: Never ask—always browse normally.
    • Manage OTR Exceptions: Add domains you always want to visit in OTR or always visit normally.

This lets you, for instance, always open “trusted” sites (email, banking) in standard mode while forcing OTR on any site in a sensitive category.

🛡 5. Building Toward a Standardized OTR API

We believe OTR should not be exclusive to iBrowe. To help other browsers and sites adopt this pattern, we’re collaborating with NGOs, web standards experts, and browser vendors on a universal OTR specification. Key goals include:

  • Unified Header/Directive: Agree on a standard response header or HTML attribute (e.g., <meta name="off-the-record" content="1">) that all browsers understand.
  • Consistent UX: Define a common prompt language and UI guidelines so users see the same “Visit Off the Record?” experience, no matter the browser.
  • Privacy-First Defaults: Ensure OTR mode disables all persistent storage—history, cookies, cache, service workers—in every engine.
  • Developer Tools: Provide site owners testing guidelines, so they can verify that OTR pages leave zero traces.

​🤝 Our goal is universal adoption so that at-risk users can count on OTR protections regardless of which browser they choose.

🔮 6. Next Steps and Community Feedback

  • Enable OTR Now: If you’re on a nightly or developer build of iBrowe, visit ibrowe://flags and enable #brave-request-otr-tab to test the feature. Provide feedback on usability and any missed artifacts.
  • Usability Research: We’re partnering with George Washington University and Paderborn University to conduct user studies—particularly with survivors of intimate partner violence—to refine prompt wording and UI placement.
  • Expand Preload List: We welcome NGOs and advocacy groups to nominate additional support sites that should be included in our partner OTR list.
  • Standardization Effort: If you’re a developer interested in contributing to the W3C or WICG OTR spec, reach out at otr-spec@w3.org.

🎉 7. Conclusion

iBrowe 1.53’s “Request Off the Record” feature is a powerful new tool for users who must hide sensitive browsing details from anyone with access to their device. 🛡️ By offering a per-site, ephemeral session—complete with automatic clearing of history, cookies, cache, and permissions—OTR ensures that your visits to sensitive service providers leave no digital trace. We’re committed to evolving this feature alongside civil society partners and browser vendors, so that every user can browse without fear, no matter which browser they choose.